Forms-based authentication suppression

Forms-based authentication can be suppressed on individual requests

You can now configure your site to accept forms-based logon suppression, for applications outside Smartsite iXperion to access secure pages.

To do this, you have to add the BasicAuthentication module to your web.config:

IIS 6

XML CopyCode image Copy Code
<httpModules>
   <add type="Smartsite.AspNet.Bridge.Hook,Smartsite.AspNet.Bridge" name="ixbridge" />
   <add name="BasicAuthentication" type="Smartsite.Security.Authentication.BasicAuthenticationModule, Smartsite.Security" />
  ...

IIS 7

XML CopyCode image Copy Code
<system.webServer>
  <modules>
   <remove name="BasicAuthentication" />
   <add name="ixbridge" type="Smartsite.AspNet.Bridge.Hook,Smartsite.AspNet.Bridge" preCondition="" />
   <add name="BasicAuthentication" type="Smartsite.Security.Authentication.BasicAuthenticationModule, Smartsite.Security" preCondition="" />
   ...

Indivual requests can now use the URL Command nofba to tell the server not to perform Form Based logon, e.g. not to redirect to the forms login url (302 HTTP status), but instead send a 401 HTTP status to the client, to accept credentials sent in the request header.

Example URL:

  CopyCode image Copy Code
http://yourserver/yoursecureapp?hid=nofba

Security notice:
bypassing forms-based authentication has a severe security implication. It enables non-secure Basic Authentication, where passwords are sent over the line in as clear text. Please consider using SSL on pages that use this technique.