Quantcast
Channel: Randy Riness @ SPSCC aggregator
Viewing all articles
Browse latest Browse all 3015

MSDN Blogs: Protecting Elmah.axd

$
0
0

Elamh is a common tool to debug ASP.NET application. You can use Elmah in Azure Website, here is a nice blog

But by default Elamh.axd is available to all users. Here are quick steps to secure it using forms authentication.

  1. Protecting Elmah.axd using ASP.NET Authentication

    Add these lines at the end of web.config file

      <elmah>

        <!–

            allow remote access to elamh.axd

        –>

        <securityallowRemoteAccess=true />

      </elmah>

     

      <locationpath=elmah.axd

                inheritInChildApplications=false>

        <system.web>

          <httpHandlers>

            <addverb=POST,GET,HEAD

                 path=elmah.axd

                 type=Elmah.ErrorLogPageFactory, Elmah />

          </httpHandlers>

          <!–

            allow only elmahuser to access elamh.axd

          –>

          <authorization>

            <allowusers=elmahuser />

            <denyusers=* />

          </authorization>

        </system.web>

        <system.webServer>

          <handlers>

            <addname=ELMAHverb=POST,GET,HEAD

                 path=elmah.axd

                 type=Elmah.ErrorLogPageFactory, Elmah

                 preCondition=integratedMode />

          </handlers>

        </system.webServer>

      </location>

  2. Create a user account 

    Add these lines within <system.web> node  in web.config file as shown

      

        <authenticationmode=Forms  >

          <formsname=elmahdetailsloginUrl=login.aspx>

            <credentialspasswordFormat=Clear>

              <username=elmahuserpassword=mycomplexpassword/>

            </credentials>

          </forms>

        </authentication>

        <authorization>

          <allowusers = ? />

        </authorization>

     

      </system.web>

  3. Add Login.aspx page, and add this html tags

        <formid=”form1″runat=”server”>

            <table>

                <tr>

                    <td>User Name:</td>

                    <td>

                        <asp:TextBoxID=”TextBox1″

                            runat=”server”/>

                    </td>

                </tr>

                <tr>

                    <td>Password:</td>

                    <td>

                        <asp:TextBoxTextMode=”Password”

                            ID=”TextBox2″

                            runat=”server”/>

                    </td>

                </tr>

            </table>

            <p>

                <asp:ButtonID=”cmdLogin”

                    runat=”server”

                    Text=”Logon”

                    OnClick=”cmdLogin_Click”/>

            </p>

        </form>

  4. Add this in the code behind

            protectedvoid cmdLogin_Click(object sender, EventArgs e)

            {  

                if (string.Compare(TextBox2.Text, “mycomplexpassword”) == 0 &&

                    string.Compare(TextBox1.Text, “elmahuser”) == 0)

                {

                    FormsAuthenticationTicket tkt;

                    string cookiestr;

                    HttpCookie ck;

                    tkt = newFormsAuthenticationTicket(1,

                        TextBox1.Text,

                        DateTime.Now,

                        DateTime.Now.AddMinutes(30),

                        true,

                        “your custom data”);

                    cookiestr = FormsAuthentication.Encrypt(tkt);

                    ck = newHttpCookie(FormsAuthentication.FormsCookieName, cookiestr);

                    ck.Expires = tkt.Expiration;

                    ck.Path = FormsAuthentication.FormsCookiePath;

                    Response.Cookies.Add(ck);

     

                    string strRedirect;

                    strRedirect = Request[“ReturnUrl”];

                    if (strRedirect == null)

                        strRedirect = “default.aspx”;

                    Response.Redirect(strRedirect, true);

                }

                else

                    Response.Redirect(“login.aspx”, true);

            }

  5. Now try to access elmah.axd file, it should redirect to login.aspx page. Note : we are sending password in clear text

Viewing all articles
Browse latest Browse all 3015

Trending Articles