On an ASP.NET website hosted on Azure, I need to secure a page so that only certain users can access it. Because of a javascript library used in the page, it will work correctly only when served over HTTP, but the ASP.NET authentication will not allow access unless the page is served over HTTPS.

To limit access to the secure page, I added a Web.config file to the folder containing the page:

       <allow roles="Admin" />
       <allow roles="Map Viewer" />
       <deny users="*" />

The main web.config file sets up forms authentication.

<authentication mode="Forms">
  <forms loginUrl="~/account/login/"
         timeout="2880" />

This works like a charm if you access the secured page through https (e.g. https://example.com/Map). You are prompted to log in, you enter your credentials, and then you go to the page. As noted above, the page will not work correctly if served over http. However, ASP.NET authentication/authorization won't allow you to access it: 1. If you are not logged in and try to access the page over http, you are redirected to the site home page once you log in. 2. If you are logged in and try to access the page over http, you are shown the log in screen even though you are already logged in.

No other secure pages on the site require HTTP to work correctly, and this form-based authentication process has been working fine for those pages for years.

Related posts

Recent Viewed