ASP.NET MVC 5 Web.config: “FormsAuthenticationModu

2019-01-13 04:17发布

问题:

Ok so this not a big deal, but it's bugging me and I can't let it go.

So I'm using MVC 5.1 with .NET 4.5.1 and OWIN authentication. So when you create a new MVC 5 project, the following is automatically added to the Web.config to get rid of the forms authentication http module because it is no longer needed when using OWIN middleware:

<system.webServer>
    <modules>
        <remove name="FormsAuthenticationModule" />
    </modules>
</system.webServer>

Now since we are removing the module, that means it was previously added, so here is the entry registering this http module in C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config:

<httpModules>
    <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</httpModules>

And here is the entry in C:\Windows\System32\inetsrv\config\applicationHost.config for IIS 8.5 that tells my application to use the module:

<system.webServer>
    <modules>
        <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />
    </modules>
</system.webServer>

So what is automatically added to my web config at the application level has a name attribute of "FormsAuthenticationModule" while the entries in the two server level/asp.net level config files use name attribute "FormsAuthentication". So what is going on here? It seems to me that the module won't be removed since the name attribute doesn't match. I would simply think this was a typo, but after searching online, everyone seems to be using "FormsAuthenticationModule" in the application web.config. Was this a recent change in the newer version of asp.net / iis or am I missing something?

回答1:

You're right -- that's a typo in the template.



回答2:

A major side effect of this "typo" is it will leave FormsAuthentication on causing loginpath of owin to be ignored and calls to authenticated pages going to /login.aspx