Forms-based authentication suppression
Forms-based authentication can be suppressed on individual requests
You can now configure your site to accept forms-based logon suppression, for applications outside Smartsite iXperion to access secure pages.
To do this, you have to add the BasicAuthentication module to your web.config:
IIS 6
| XML |
Copy Code
|
|---|---|
<httpModules> <add type="Smartsite.AspNet.Bridge.Hook,Smartsite.AspNet.Bridge" name="ixbridge" /> <add name="BasicAuthentication" type="Smartsite.Security.Authentication.BasicAuthenticationModule, Smartsite.Security" /> ... |
|
IIS 7
| XML |
Copy Code
|
|---|---|
<system.webServer> <modules> <remove name="BasicAuthentication" /> <add name="ixbridge" type="Smartsite.AspNet.Bridge.Hook,Smartsite.AspNet.Bridge" preCondition="" /> <add name="BasicAuthentication" type="Smartsite.Security.Authentication.BasicAuthenticationModule, Smartsite.Security" preCondition="" /> ... |
|
Indivual requests can now use the URL Command nofba to tell the server not to perform Form Based logon, e.g. not to redirect to the forms login url (302 HTTP status), but instead send a 401 HTTP status to the client, to accept credentials sent in the request header.
Example URL:
|
Copy Code
|
|
|---|---|
http://yourserver/yoursecureapp?hid=nofba |
|
Security notice:
bypassing forms-based authentication has a severe security implication. It enables non-secure Basic Authentication, where passwords are sent over the line in as clear text. Please consider using SSL on pages that use this technique.