Vulnerability in EPiServer.Forms
upgrade from 6r2 to CMS version 7.19.2
How do i disable the default login prompt from episerver?
I have several login pages for different extranets, ive made a handler to redirect to the right loginpage. but the default episerver comes in before my handler is executed.
What you have in <authentication /> element in web.config?
<forms name=".EPiServerLogin" loginUrl="templates/public/pages/common/login.ashx" timeout="1440" />
And the .ashx guy does redirect to correct login page based on extranet?
yes, depanding on return-url it redirects to the right extranet. But the episerver default prompt is poping up before my ashx. isnt it any classic mode? with a loginpage?
By episerver default prompt, do you mean the one at /util/login.aspx?
Nope, it is a popup login prompt, like the one on windows login in web browsers, but in all browsers. is it just me? i thought that was the default prompt... is it an IIS thing?
Yes, Windows Login prompt suggests you need to look at your IIS settings. You should have it set for Anonymous access.
It could also, depending on your other config, have something to with Permissions on disk.
If you run integrated mode you can't combine a HTTP Authentication login prompt with Forms Authentication. This worked on IIS6.
It is really strange, i ve been looking all over my windows server 2012 configurations, i do have Forms authentication activated, and i do login in with the episerver membership credentials, and not any windows account. I do run the IIS AppPool as NetworkServices. Permissions on disk is set. I have this on dev, test and prod server. Im confused ...
Maybe some other settings in web.config is causing popup window to show up. For instance <location> element defined for "templates" folder?
<add name="BasicAuthentication" type="EPiServer.Security.BasicAuthentication, EPiServer" />
from web.config <modules runAllManagedModulesForAllRequests="true">
Its working without prompt. what is EPiServer.Security.BasicAuthentication? legacy?
It seems that EPiServer.Security.BasicAuthentication is like two-level authentication using Forms Authentication and Windows Authentication.
As far as I remember Basic authentication module was needed to support sending a basic authentication challenge instead of a redirect to the forms login page. So it actually decodes authentication from request header and tries to authenticate given user and password against membership providers. If successful - it issues FormsAuthentication cookie.
And what's most probably more interesting for your case - is that on request end it monitors response state, and if form authentication is enabled and server sends back redirect to login page, this module intercepts that, sets reponse status to 401 and adds "WWW-Authenticate" header - which indicates Http basic authentication process to take place.
You nailed it Valdis Iljuconoks
For the record
<add name="BasicAuthentication" type="EPiServer.Security.BasicAuthentication, EPiServer" /> is still indeed working if you need to authenticate for example webservices.
Just remember to deactivate it on base path:
<location path=""> <episerver.basicAuthentication sendBasicChallenge="false" basicRealm="" /> </location>