R – Using Forms Authentication without .Net providers

asp.netforms-authentication

I want to protect a section of my website using forms authentication with the username and password as defined by me in the web.config. When I attempt to login I get the message below.

Server Error in '/' Application.

Could not find stored procedure 'dbo.aspnet_CheckSchemaVersion'.

I'm guessing this is happening because it's attempting to use the Membership tables as defined by the LocalSqlServer connection string. I don't want to use the Membership features, how do I configure my web app to do that?

Will I need to write the Authenticate function myself for the in-built Login control?

Best Answer

The problem isn't with your config file, it's with the Login control.

The Login control uses the default Membership Provider that is defined in the machine.config. (It's a SqlMembershipProvider that points to a SQL Express database).

You don't want to use the default Membership Provider at all. Simply create your own login page and use the following server-side logic to validate the credentials and log the user into the site:

    if( Page.IsValid )
        if (FormsAuthentication.Authenticate(txtName.Text,txtPassword.Text)) 
            FormsAuthentication.RedirectFromLoginPage(txtName.Text, false);
        else
            lblMsg1.Text = "Wrong name or password. Please try again.";

Related Solutions

R – Can we create an application with its own Web.config and Forms Authentication section inside another application using Forms Authentication

IIRC, the authentication works per folder. So you should be able to do it if all of the pages that require the 2nd type of authentication live in a specific sub-folder with it's own config.

Not 100% sure on this, though, so if someone more knowledgeable can contradict me I'll just delete the response.

R – IP check using ASP.NET Forms Authentication

First, are you sure you want to do this? IP spoofing would be an ideal way to then attack your site if anyone could guess the range of IP addresses that you were not verifying! Even if they just knew the range of addresses, this makes a brute force attack trivial.

Second, you can just check the IP address in the login page and redirect from there...no need for an HttpModule. But, again, I would NOT do this if I were you.

UPDATE: R G - a couple of things. My thinking was that you would do an Authenticate() call before redirecting. This would avoid having the redirect loop back. But it looks like you don't even need that because...

Second, from your comment below (in Ben's post), you'll be using this code in a Web Service. If that is the case, couldn't you put the web service in the Web.Config page as a permitted access page? Just add this:

<location path="YourWebService.asmx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

This is what we do although we do require that the users of our web service send along a "magic phrase" before we'll process the web service request (it is also SSL encrypted).

Best Answer

Related Solutions

R – Can we create an application with its own Web.config and Forms Authentication section inside another application using Forms Authentication

R – IP check using ASP.NET Forms Authentication

Related Topic