Register Page redirects to Login Page even with AllowAnonymous Attribute

2
votes

I have used forms authentication to let users login to my website. However, the users cannot access the Register page without logging in, even though the Register action has the [AllowAnonymous] Attribute added.

My AccountController Action is:

[HttpGet]
    [AllowAnonymous]
    public ActionResult Register()
    {
        return View("Register");
    }

    [HttpPost]
    [ValidateAntiForgeryToken]
    [AllowAnonymous]
    public ActionResult Register(RegistrationModel registrationModel)
    {
        if (new UserAccounts().DoesUserExist(registrationModel.UserName, registrationModel.Email))
            ModelState.AddModelError(String.Empty, "User with same email or Username Already Exists");
        else
        {
            new UserAccounts().CreateUser(registrationModel);
            TempData["Success"] = "User has been created!";
        }

        return View();
    }

The News controller action for showing content only to authenticated users is:

 [Authorize]
    public ActionResult News()
    {
        HomeNewsModel HomeNewsModel = null;

        try
        {
            ViewBag.IsNewsPage = true;
            NewsArticles NewsItems = new NewsArticles();
            ViewBag.Title = "Home";
            HomeNewsModel = new HomeNewsModel();
            HomeNewsModel.AllNews = NewsItems.GetAllNews();
            HomeNewsModel.NewsCategory = new NewsArticles().GetCategories();
        }
        catch (Exception)
        {

            throw;
        }
        return View(HomeNewsModel);
    }

And here is my Web.Config File:

        <?xml version="1.0" encoding="utf-8"?>

     <configuration>
       <appSettings>
         <add key="webpages:Version" value="3.0.0.0"/>
         <add key="webpages:Enabled" value="false"/>
         <add key="ClientValidationEnabled" value="true"/>
         <add key="UnobtrusiveJavaScriptEnabled" value="true"/>
       </appSettings>
       <connectionStrings>
         <add name="DBConnectionString" connectionString="server = localhost; uid = root; password= admin; persistsecurityinfo=True;database=sqlexpressdb;" />

       </connectionStrings>

       <system.web>
         <customErrors defaultRedirect="~/Error/" mode="Off" />
         <compilation debug="true" targetFramework="4.5.2"/>
         <httpRuntime targetFramework="4.5.2"/>
       <authentication mode="Forms">
         <forms loginUrl="~/Account/Login" />
       </authentication>
       </system.web>
       <location path="Account/Register">
         <system.web>
             <authorization>
             <allow users="?"/>
             </authorization>
         </system.web>
     </location>
       <runtime>

         <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
           <dependentAssembly>
             <assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35"/>
             <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0"/>
           </dependentAssembly>
           <dependentAssembly>
             <assemblyIdentity name="System.Web.WebPages" publicKeyToken="31bf3856ad364e35"/>
             <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0"/>
           </dependentAssembly>
           <dependentAssembly>
             <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35"/>
             <bindingRedirect oldVersion="1.0.0.0-5.2.3.0" newVersion="5.2.3.0"/>
           </dependentAssembly>
         </assemblyBinding>
       </runtime>
       <system.codedom>
         <compilers>
           <compiler language="c#;cs;csharp" extension=".cs"
             type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
             warningLevel="4" compilerOptions="/langversion:6 /nowarn:1659;1699;1701"/>
           <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb"
             type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
             warningLevel="4" compilerOptions="/langversion:14 /nowarn:41008 /define:_MYTYPE=\&quot;Web\&quot; /optionInfer+"/>
         </compilers>
       </system.codedom>
     </configuration>

Things I've tried:

  1. Putting the [AllowAnonymous] attribute at the top of the controller
  2. Using location path="Register" / path="~/Register" /path="~/Account/Register... in web.config

Removing [Authorize] attribute from the News controller opens the Register page when I click on it. Removing with [Authorize] attribute enabled in the News Controller Action opens the Register page when I type it in the URL.

However, it keeps redirecting to Login page with both the combinations enabled.

1
asp.net-mvcasp.net-mvc-4loginforms-authentication
are you rendering any action in the "_Layout" page which is accessible to authorized users only? Verify if you have Html.Action or Html.RenderAction in _Layout page and if those actions has Authorize attribute. This most likely to be the case. - Nirman
This was exactly the problem. I had a Html.Action instead of Html.ActionLink embedded in an image. Rookie mistake because I'm still a rookie! Thank you so much! - Ashmit Biswas

1 Answers

3
votes

Glad it helped :)

Just posting here as an answer so people visiting the question may also get help for similar issue.

In such cases, the first thing we need to verify that the layout page of the CSHTML page, as well as any partial view in the complete hierarchy must not have @Html.Action or @Html.RenderAction rendering an action having Authorize attribute.