Absolutely. What you linked, was back when Umbraco was used with Webforms, but since then it has switched to MVC, you can still use Webforms but would not recommend it.
I could type in all the code you need. BUT for your sake i think it's better if you go to the Umbraco backend, go to the settings section and then go to Partial View and create a new partial view, it will prompt you to enter a name and and if you want a to choose template, here you can choose the Login template, which will supply you with all the code you need. then you can call your partial view on whatever page you want like this.
Thanks for the help everyone. I would do it on IIS, but current IIS doesn't support basic password protection anymore, and we can't do it by IP address.
I'll take a look at implementing the form, but I really want an easy on/off switch for the entire site and hope it doesn't involve changing every page.
Thank you Steve! That works, I thought the feature had been removed from IIS. Additional notes for anyone else searching this thread:
After installing the Basic Authentication feature for IIS, in IIS Manager you need to 1) disable Anonymous Authentication then 2) enable Basic Authentication for your Umbraco site.
Then to view the site need to enter the credentials for an existing Windows user account that exists on that box. (Eg. create a "tester" user & password for this purpose.)
Sorry to resurrect an old thread, but there is a problem with this approach in that you cannot log in to Umbraco once you enable Basic Auth in IIS, as it means (I believe) the Forms Auth required by the Umbraco backoffice no longer works.
If you have found a way in config to accomplish this, it would be great if you could share the info. The simplest alternative is to use Umbraco's in-built Public Access feature (Forms Auth) to password protect the site's front end. I am looking for a more generic solution though.
I just found that out the other week, it used to work but then when I tried to do it to a new site the back office login does break for the reason you highlighted. There is a warning in IIS as well to say that you can't combine them as they don't work together when you try and enable both.
Thanks for the link looks like that's worth a try!
I use a simple approach using a partial view which checks if your ip-address is allowed. Otherwise I throw a 404 exception.
If you are on a web hotel, changing ip-security may often be not allowed.
@{
var clientIp = Request.UserHostAddress;
// Use: "throw new HttpException(404,"not found");" to deny access
// "::1" is same as localhost
switch(clientIp)
{
case "::1":
@*<p>Localhost</p> *@
break;
case "127.0.0.1":
@*<p>Localhost</p> *@
break;
case "xx.xxx.xx.xx":
break;
case "xx.x.xxx.xxx":
break;
default:
throw new HttpException(404,"not found");
}
}
Thanks Martin, I considered IP whitelist (in fact it is possible to do it via the IIS rewrite module in web.config) but for my application it is not practical as the clients are not all on fixed IPs. Also I am looking for a portable solution that can be applied to all sites currently in dev / UAT phase.
I'm currently looking into an interesting approach by Tim Payne that he blogged about here
FYI For others interested in this topic, I implemented an IIS rewrite rule inspired by Tim Payne's blog post above. My use case is slightly different - the rule simply redirects all requests to the standard Umbraco backoffice login page if the Umbraco login cookie is not present. Neat! Obviously not super secure but enough to satisfy clients that their dev sites are not on public display. #H5YR to Tim Payne!
Great stuff Barry but I had to make one small tweak or I couldn't see the login page. I needed to add DependencyHandler.axd to the list of urls to exclude from the rule as follows:
For most people this probably wouldn't be an issue on a dev site because you will likely be in debug mode but I was testing with debug disabled and therefore all of the back office resources were being compiled with ClientDependencyFramework.
Good catch @Simon. I also had reason to do this on a 7.4 site, and found this Http Auth Module Nuget package really handy. It enables a range of simple authentication methods and IP-based restriction. Its all config-based so you can easily set up different authentications per environment.
great soln but we couldnt get it to work well because we ended up with 301 Permanent redirects, meaning that for some pages you always seemed to end up on the backoffice login screen, even after logging in (the cookie also showed the user was still auth'd).
Changing the rule action to include redirectType="Temporary" and clearing our browser caches seemed to do the trick, ie:
I've also used Barry's solution, and noticed it was defaulting to Permanent. You certainly need to change it to "Temporary"!
I did later notice some issues, whereby the returnPath didn't work and after logging into Umbraco we would stay there. I never bothered to find a solution.
I do like Barry's solution for it's simplicity but it would be nice to find an equally simple but actually secure option.
the returnPath didn't work and after logging into Umbraco we would
stay there
Yep we have that too. The (relatively) quick but dirty way around it that I came up with is to create a simple plugin with a single html that does a javascript redirect to the front web site.
You can then use the dashboard.config to enable that plugin html just for the user types that you want to immediately redirect. Obviously this will stop them having backoffice access because as soon as the backoffice is displayed for them it redirects away.
Password protect site while in development?
Hi, we'd like to password protect our site while in development so only we can see it. Then we'd like to remove that restriction.
I've found this thread from several years ago. It says to paste that form code into the "standard Umbraco template" (is this the master template?)
I tried doing that but it just prints the following on the page in plain text, no form or anything:
Is there an up-to-date way to do this? That form code doesn't look like MVC style code, I don't know what that asp / runat stuff is.
Absolutely. What you linked, was back when Umbraco was used with Webforms, but since then it has switched to MVC, you can still use Webforms but would not recommend it.
I could type in all the code you need. BUT for your sake i think it's better if you go to the Umbraco backend, go to the settings section and then go to Partial View and create a new partial view, it will prompt you to enter a name and and if you want a to choose template, here you can choose the Login template, which will supply you with all the code you need. then you can call your partial view on whatever page you want like this.
@Html.Partial("PartialViewNameHere")
Hope this gives you an idea and that it helps
I think you'd be best doing this at the IIS level - either with an IP restriction or basic auth.
Yes, Steve, it would be better at IIS level !
Thanks for the help everyone. I would do it on IIS, but current IIS doesn't support basic password protection anymore, and we can't do it by IP address.
I'll take a look at implementing the form, but I really want an easy on/off switch for the entire site and hope it doesn't involve changing every page.
Hi,
You're right - it doesn't by default but is very easy to install.
http://www.iis.net/configreference/system.webserver/security/authentication/basicauthentication
Thank you Steve! That works, I thought the feature had been removed from IIS. Additional notes for anyone else searching this thread:
After installing the Basic Authentication feature for IIS, in IIS Manager you need to 1) disable Anonymous Authentication then 2) enable Basic Authentication for your Umbraco site.
Then to view the site need to enter the credentials for an existing Windows user account that exists on that box. (Eg. create a "tester" user & password for this purpose.)
Sorry to resurrect an old thread, but there is a problem with this approach in that you cannot log in to Umbraco once you enable Basic Auth in IIS, as it means (I believe) the Forms Auth required by the Umbraco backoffice no longer works.
If you have found a way in config to accomplish this, it would be great if you could share the info. The simplest alternative is to use Umbraco's in-built Public Access feature (Forms Auth) to password protect the site's front end. I am looking for a more generic solution though.
I did find a interesting article on combining Forms and Windows auth which I am going to try, unless there is an easier way!
Hey Barry,
I just found that out the other week, it used to work but then when I tried to do it to a new site the back office login does break for the reason you highlighted. There is a warning in IIS as well to say that you can't combine them as they don't work together when you try and enable both.
Thanks for the link looks like that's worth a try!
I use a simple approach using a partial view which checks if your ip-address is allowed. Otherwise I throw a 404 exception.
If you are on a web hotel, changing ip-security may often be not allowed.
Thanks Martin, I considered IP whitelist (in fact it is possible to do it via the IIS rewrite module in web.config) but for my application it is not practical as the clients are not all on fixed IPs. Also I am looking for a portable solution that can be applied to all sites currently in dev / UAT phase.
I'm currently looking into an interesting approach by Tim Payne that he blogged about here
FYI For others interested in this topic, I implemented an IIS rewrite rule inspired by Tim Payne's blog post above. My use case is slightly different - the rule simply redirects all requests to the standard Umbraco backoffice login page if the Umbraco login cookie is not present. Neat! Obviously not super secure but enough to satisfy clients that their dev sites are not on public display. #H5YR to Tim Payne!
Great stuff Barry but I had to make one small tweak or I couldn't see the login page. I needed to add
DependencyHandler.axdto the list of urls to exclude from the rule as follows:For most people this probably wouldn't be an issue on a dev site because you will likely be in debug mode but I was testing with debug disabled and therefore all of the back office resources were being compiled with ClientDependencyFramework.
Cheers, Si
Good catch @Simon. I also had reason to do this on a 7.4 site, and found this Http Auth Module Nuget package really handy. It enables a range of simple authentication methods and IP-based restriction. Its all config-based so you can easily set up different authentications per environment.
One for the tool belt :-)
Hi Barry
great soln but we couldnt get it to work well because we ended up with 301 Permanent redirects, meaning that for some pages you always seemed to end up on the backoffice login screen, even after logging in (the cookie also showed the user was still auth'd).
Changing the rule action to include redirectType="Temporary" and clearing our browser caches seemed to do the trick, ie:
Hope that helps anyone else with the same problem.
I've also used Barry's solution, and noticed it was defaulting to Permanent. You certainly need to change it to "Temporary"!
I did later notice some issues, whereby the returnPath didn't work and after logging into Umbraco we would stay there. I never bothered to find a solution.
I do like Barry's solution for it's simplicity but it would be nice to find an equally simple but actually secure option.
Yep we have that too. The (relatively) quick but dirty way around it that I came up with is to create a simple plugin with a single html that does a javascript redirect to the front web site.
You can then use the dashboard.config to enable that plugin html just for the user types that you want to immediately redirect. Obviously this will stop them having backoffice access because as soon as the backoffice is displayed for them it redirects away.
Hope it helps
Hah! Ians approach to it is awesome. : )
https://our.umbraco.com/forum/extending-umbraco-and-using-the-api/93378-using-returnpath-with-umbracologin-to-actual-site
is working on a reply...