Search code examples
cookiesasp-classicforms-authentication

Classic ASP - web.config deny rule not detecting cookie

I have taken on an Internet facing Classic ASP application (hosted on Windows-Server-2012 / IIS8) that is using Anonymous Access and I want to move to Forms Authentication. Although it is not straight forward, as it currently stands (with the Anon.Access set) the unauthenticated user (i.e. a user that has not yet logged on) can view a .pdf, .doc, etc file if they enter the exact URL path to the file (i.e. security thru obscurity).

The Problem

  • I am expecting when I am not logged on, I should not be able to see the .pdf's when entering the absolute URL (this is OK)
  • however I am also expecting when I do logon I should be able to see the .pdf's when entering the absolute URL (this does not happen - what does happen is when I enter the absolute URL of a pdf, I am re-directed back to the home page - I am still logged on but the cookie must not be detected within the authorization - i.e. the "deny" rule above responds with a rejection and sends me back to the home page - note the cookie exists and has not expired)

My Setup and What I have Tried

The Cookie is set via the following code 

Response.Cookies("MyAuthCookie") = myGuid
Response.Cookies("MyAuthCookie").Expires = DateAdd("h", 6, Now())
Response.Cookies("MyAuthCookie").Path = "/"

I have tried to tie down access to the .pdf, .doc files via web.config authorization allow/deny rules as follows

<location path="myProtectedFolder">
  <system.web>
    <authorization>
      <deny users="?" />
      <allow users="*" />
    </authorization>
  </system.web>
</location>
<system.web>
  <machineKey decryptionKey="XXXXXXXX99999999XXXXXXXX" validationKey="XXXXXXXX99999999XXXXXXXX" />
    <authentication mode="Forms">
      <forms name="MyAuthCookie" loginUrl="/index.asp" path="/" />
    </authentication>
  <authorization>
    <allow users="*" />
  </authorization>
</system.web>

Modules have been configured as follows

<modules>
  <remove name="FormsAuthentication" /> 
  <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />    
  <remove name="UrlAuthorization" />    
  <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />    
  <remove name="DefaultAuthentication" />    
  <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>

...and handlers as follows (to be processed by ISAPI)

<handlers>
  <add name="pdfs64" path="*.pdf" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" resourceType="File" requireAccess="Read" preCondition="classicMode,runtimeVersionv4.0,bitness64" />
  <add name="pdfs" path="*.pdf" verb="*" modules="IsapiModule" scriptProcessor="C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="File" requireAccess="Read" preCondition="classicMode,runtimeVersionv4.0,bitness32" />
</handlers>

Other areas of note

  • I have the website set to Anon.Access and Forms Auth (I tried Forms Auth on its own).
  • I have given the website folder/sub-folders read/execute to both the AppPool identity user and "Authenticated Users"
  • I have marked the AppPool as .Net 2 (also tried .Net 4) with Integrated Pipeline (also tried Classic)

Any help would be greatly appreciated

Solution

  • I finished up creating a true FormsAuthentication cookie from the cookie within a HttpModule (config for the module is the modules section). This then accommodated the allow/deny rules.