MSDN Blogs: Protecting Elmah.axd

Elamh is a common tool to debug ASP.NET application. You can use Elmah in Azure Website, here is a nice blog

But by default Elamh.axd is available to all users. Here are quick steps to secure it using forms authentication.

1. Protecting Elmah.axd using ASP.NET Authentication

   Add these lines at the end of web.config file

   <elmah>     <!–         allow remote access to elamh.axd     –>     <securityallowRemoteAccess=“true“ />   </elmah>     <locationpath=“elmah.axd“             inheritInChildApplications=“false“>     <system.web>       <httpHandlers>         <addverb=“POST,GET,HEAD“              path=“elmah.axd“              type=“Elmah.ErrorLogPageFactory, Elmah“ />       </httpHandlers>       <!–         allow only elmahuser to access elamh.axd       –>       <authorization>         <allowusers=“elmahuser“ />         <denyusers=“*“ />       </authorization>     </system.web>     <system.webServer>       <handlers>         <addname=“ELMAH“verb=“POST,GET,HEAD“              path=“elmah.axd“              type=“Elmah.ErrorLogPageFactory, Elmah“              preCondition=“integratedMode“ />       </handlers>     </system.webServer>   </location>

2. Create a user account 

   Add these lines within <system.web> node  in web.config file as shown

   <authenticationmode=“Forms“  >       <formsname=“elmahdetails“loginUrl=“login.aspx“>         <credentialspasswordFormat=“Clear“>           <username=“elmahuser“password=“mycomplexpassword“/>         </credentials>       </forms>     </authentication>     <authorization>       <allowusers = “?“ />     </authorization>     </system.web>

3. Add Login.aspx page, and add this html tags

   <formid=”form1″runat=”server”>         <table>             <tr>                 <td>User Name:</td>                 <td>                     <asp:TextBoxID=”TextBox1″                         runat=”server”/>                 </td>             </tr>             <tr>                 <td>Password:</td>                 <td>                     <asp:TextBoxTextMode=”Password”                         ID=”TextBox2″                         runat=”server”/>                 </td>             </tr>         </table>         <p>             <asp:ButtonID=”cmdLogin”                 runat=”server”                 Text=”Logon”                 OnClick=”cmdLogin_Click”/>         </p>     </form>

4. Add this in the code behind

   protectedvoid cmdLogin_Click(object sender, EventArgs e)         {               if (string.Compare(TextBox2.Text, “mycomplexpassword”) == 0 &&                 string.Compare(TextBox1.Text, “elmahuser”) == 0)             {                 FormsAuthenticationTicket tkt;                 string cookiestr;                 HttpCookie ck;                 tkt = newFormsAuthenticationTicket(1,                     TextBox1.Text,                     DateTime.Now,                     DateTime.Now.AddMinutes(30),                     true,                     “your custom data”);                 cookiestr = FormsAuthentication.Encrypt(tkt);                 ck = newHttpCookie(FormsAuthentication.FormsCookieName, cookiestr);                 ck.Expires = tkt.Expiration;                 ck.Path = FormsAuthentication.FormsCookiePath;                 Response.Cookies.Add(ck);                   string strRedirect;                 strRedirect = Request[“ReturnUrl”];                 if (strRedirect == null)                     strRedirect = “default.aspx”;                 Response.Redirect(strRedirect, true);             }             else                 Response.Redirect(“login.aspx”, true);         }

5. Now try to access elmah.axd file, it should redirect to login.aspx page. Note : we are sending password in clear text