This is one of this things that should be extremely simple and I just can’t work out why it’s not working.
I’m trying to set up some very quick authentication for an ASP.net 3.5 app but storing the usernames and passwords in the web.config file (I know it’s not very secure but it’s an internal app that I keep getting asked to add and remove logins for so this is the quickest way to do it).
So, the relevant config section looks like this:
<authentication mode="Forms">
<forms loginUrl="~/login.aspx">
<credentials>
<user name="user" password="password" />
<user name="user2" password="password2" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
And, in the login page, the code look like this:
string username = tbUsername.Text;
string password = tbPassword.Text;
if (FormsAuthentication.Authenticate(username, password))
FormsAuthentication.RedirectFromLoginPage(username, false);
But, FormsAuthentication.Authenticate(username, password) always returns false. And I can’t figure out why.
I even tried using Membership.ValidateUser but that just adds in a local database to the App_Data folder.
Is there something really basic I’m forgetting here or does this not work at all in .net 3.5?
I’m not sure if this has changed in .NET 3.5, but the
<credentials>element has an attributepasswordFormatthat defines the format for passwords in theweb.config. From the MSDN documentation for .NET 3.5, the default format is SHA1.If you’re using cleartext usernames and passwords in your
web.config, you should use:Event though this is an internal application I’d still recommend at least hashing the password instead of leaving it in clear text.