ASP.NET Forms authentications

Question

I have created new Project > ASP.NET Web Application (with individual user accounts). To root web.config I have added `

<authentication mode="Forms">
      <forms loginUrl="log.aspx" defaultUrl="about.aspx"/>
    </authentication>

<authorization>
  <deny users="?"/>
</authorization>`

in order to redirect every not authenticated user to log.aspx (it exists in project root). But when I run my project now I got error

HTTP Error 404.15 - Not Found

The request filtering module is configured to deny a request where the query string is too long.

Requested URL    http://localhost:55371/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FAbout.aspx

Physical Path D:\Visual Studio workplace\WebApplication4\WebApplication4\Account\Login

Suggested fix is change maxquerystring so I did it as here. And then error changed

Exception Details: System.Web.HttpException: The length of the query string for this request exceeds the configured maxQueryStringLength value.

To me it looks like some infinite loop. Could you please tell me why the first error mentions /account/login which is default in this project? Also what is a solution in this situation?

I am using VS2015 with IIS Express.

Looks like the primary problem is the length of the query string. To start a RCA, you can increase the max length - http://stackoverflow.com/questions/11636386/how-to-configure-the-web-config-to-allow-requests-of-any-length — Atanu Roy, Apr 30 '17 at 16:27
It sounds to me that you have enabled Asp.Net Identity but you are trying to use the old style Forms Authentication. If I am right, you need to take that stuff out of your config and do some research on Asp.Net Identity. It is used very differently. — Crowcoder, Apr 30 '17 at 16:29
Possible duplicate of [New Asp.Net MVC5 project produces an infinite loop to login page](http://stackoverflow.com/questions/19601412/new-asp-net-mvc5-project-produces-an-infinite-loop-to-login-page) — Atanu Roy, Apr 30 '17 at 16:29
@Crowcoder That is definitly possible source of my information is ISBN: 978-1-4302-2529-4 which is older. I guess I have to crate new project with no auth or find out how to use the new way based on Identity. to:Atanu as I wrote in my post I have already tired it and this is not same problem as you mentioned and is not solved by any answer given in that thread (which I have tired so far). — Bendom, Apr 30 '17 at 17:20
Highly recommend Identity, well worth the effort to learn it. — Crowcoder, Apr 30 '17 at 17:24
@Crowcoder Brief look at it capabilities tells me that it is something great to know but if I need to implement intranet web application with user stored at my db it seems to be an overkill. Well I'll try to use "old" way and hopefully it will be enough and working just fine. Thank you very much. Btw: Is there a way how to mark you comment as an answer? — Bendom, Apr 30 '17 at 17:34

score 0 · Accepted Answer · answered Apr 30 '17 at 17:56

When you select "Individual User Accounts" during project creation you are setting up authentication to use ASP.Net Identity which is a completely different system than Forms Authentication.

You don't want to mix them, use one or the other. But be aware Forms Auth is now much weaker security than Identity which basically sets up a modern Token server within your website.

Dave · Answer 2 · 2018-04-25T18:53:53.780

I have seen this same error posted many times and as I have encountered the same problem myself and all of the answers were not helping me, until I found the real solution to the problem. The original question says: "I have created new Project > ASP.NET Web Application ..." and it says he changed the web.config file. Indeed there is an infinite loop that is occuring because the web.config is set to deny access to any unauthenticated user to every page of the site that is including the login page itself! That is causing the loop. In order to avoid the infinite loop one should grant access to at least the login page. I made that, placing another web.config file inside the folder where my login page is placed, and with the following code inside it:

<?xml version="1.0" encoding="utf-8"?>
  <configuration>
    <system.web>
       <authorization>
          <allow users="?"/>
       </authorization>
    </system.web>
  </configuration>

This grants unauthorized access to all pages inside the folder, so be sure to put your login page there and that's all.

Edited: it is important to say that this approach is using Forms Authentication.

ASP.NET Forms authentications

2 Answers2