5

Im trying to make a (temporary) login storing the users in my web.config file. After adding deny to the web.config file it gives me this error

HTTP Error 404.15 - Not Found The request filtering module is configured to deny a request where the query string is too long.

The url looks like this

http://localhost/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FAccount%252525252525252525252525252525252525252FLogin%252525252525252525252525252525252525253FReturnUrl%252525252525252525252525252525252525253D%25252525252525252525252525252525252525252F

(without deny it sets the cookie but i can still access all the pages)

This is how it looks in my web.config

    <authentication mode="Forms">
  <forms loginUrl="~/Account/Login" name=".ASPXAUTH" slidingExpiration="true" timeout="1440" path="/" defaultUrl="~/">
    <credentials passwordFormat="Clear">
      <user name="matchUser80" password="123Match789"/>
    </credentials>
  </forms>
</authentication>

<authorization>
  <deny users="?" />
</authorization>

And my controller

        [HttpPost]
    public ActionResult Login(LoginModel model, string returnUrl)
    {
        if (!ModelState.IsValid)
        {
            return View(model);
        }

        if (FormsAuthentication.Authenticate(model.UserName, model.Password))
        {
            FormsAuthentication.SetAuthCookie(model.UserName, false);
            FormsAuthentication.RedirectFromLoginPage(model.UserName, false);
            if (returnUrl != null)
            {
                return Redirect(returnUrl);
            }
            return View();
        }

        ModelState.AddModelError(string.Empty, "Wrong username or password");
        return View(model);
    }

I'm using MVC 5.

tereško
  • 58,060
  • 25
  • 98
  • 150
WIRN
  • 915
  • 1
  • 16
  • 31

1 Answers1

4

You should use attributes instead of web.config configuration to authorize your mvc application. Web config configuration should be used only with web form applications.

Decorate your Login action (both get and post version) with [AllowAnonymous] attribute.

User [Authorize] attribute for other controllers.

Read this article to see how to secure your mvc application.

Update

I reproduced your problem locally with default mvc project and i had this in my web.config:

<system.webServer>
    <modules>
      <remove name="FormsAuthentication" />
    </modules>
</system.webServer>

Everything started working after i commented the <remove name="FormsAuthentication" /> part

Marian Ban
  • 8,158
  • 1
  • 32
  • 45
  • Thanks, but I've tried putting [Authorize] on my controller but then I cant acces it even though Im loggen in. I created a cookie with this: FormsAuthentication.SetAuthCookie(model.UserName, false); but the [Authorize] does not check my cookie. Should I not use SetAuthCookie? – WIRN Oct 07 '14 at 08:32
  • @WIRN you have to also put [AllowAnonymous] on the action method which should be accessible by not authorized users. – Marian Ban Oct 07 '14 at 08:34
  • Yes, Ive doe that, otherwise I couldnt create the cookie with SetAuthCookie (which is called on my log in controller) – WIRN Oct 07 '14 at 08:36
  • @WIRN to authenticate the user from web.config use FormsAuthentication.Authenticate(name, password) end then FormsAuthentication.RedirectFromLoginPage(name, false); – Marian Ban Oct 07 '14 at 08:37
  • @WIRN i don't think you have to use the SetAuthCookie – Marian Ban Oct 07 '14 at 08:41
  • I've ben using FormsAuthentication.Authenticate and FormsAuthentication.RedirectFromLoginPage (please see the code above) but you are probably right about not having to use SetAuthCookie since it still creates the cookie. But still when I'm trying to surf to the controller with the [Authorize] attribute it redirects me to the login page... by the way, thanks alot for your time... – WIRN Oct 07 '14 at 08:46
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/62577/discussion-between-wirn-and-majob). – WIRN Oct 07 '14 at 08:50
  • You are my hero MajoB. It works great after reading you update in you post. Many thanks! – WIRN Oct 07 '14 at 13:32