X

ASP.NET Forms Authentication Blocks Images and CSS Files

If you use the ASP.NET Forms Authentication in your web application that runs on IIS 7 or above with the integrated pipeline application pool, you may find that the images and the styles of your application are not displayed until you are logged in (authenticated). If you encounter this problem, here is the solution to fix it.

First, let me take one step back to explain why the problem happens. If you look at your web.config file, you will most likely see a property in the <modules> section as follows:

<modules runAllManagedModulesForAllRequests="true" />

If you have implemented the Forms Authentication in your application, this line of code, when is set to true, tells ASP.NET to protect all contents in your application, including the images and css files from all unauthenticated users. So if you have images and styles on your login page, then they will not display. This is new in IIS 7 and above. To ensure the backwards compatibility, IIS 7 and above uses a precondition for the default configuration for all managed modules. So, by default, ASP.NET should only protect requests handled by a managed handler, such as .aspx or .asmx files, because of the precondition. However, the above line in the web.config when set to true will ignore the precondition, and thus all requests are handled by the managed handler.

Based on the information, the quick and dirty fix will be set the above line to false or simply remove the line from your web.config.

<modules runAllManagedModulesForAllRequests="false" />

But what if your web application requires high security and you DO need to protect files other than .aspx and .asmx files? So the better solution will be set the above line to true, and at the same time to use <location> for your image files and css files to bypass the authentication.

<location path="Styles">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>
  <location path="App_Themes">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
</location>

However, there is one more problem with the solution above. If your site has heavy traffic,

runAllManagedModulesForAllRequests="true" will force all requests to be handled by managed modules which will increase the load of your application, besides, you may only need some managed modules to handle all requests regardless of content, but for other modules, they can use the default configuration to handle the request. To do this, you will need to identify what modules should handle all requests regardless of content, for instance, the Forms Authentication Module and the URL Authorization Module; then modify the <module> property of your web.config file as follows:

  <system.webServer>
    <!--<modules runAllManagedModulesForAllRequests="false" />-->
    <modules>
      <remove name="FormsAuthenticationModule" />
      <add name="FormsAuthenticationModule"
           type="System.Web.Security.FormsAuthenticationModule" />

      <remove name="UrlAuthorization" />
      <add name="UrlAuthorization"
           type="System.Web.Security.UrlAuthorizationModule" />

      <remove name="DefaultAuthentication" />
      <add name="DefaultAuthentication"
           type="System.Web.Security.DefaultAuthenticationModule" />
    </modules>
  </system.webServer>

This change combined with the <location> tag will allow ASP.NET to display the images and the style on your page, without causing security issues.

Hope this helps.

References:

2.5 2 votes
Article Rating
Jeffrey:
Related Post