保护ELMAH文件

Question

I am trying to allow the access to the elmah.axd file for only a perticular login and all others should be denied. I have followed Phil Haack's tutorial for securing the file.

<httpHandlers>
            <remove verb="*" path="*.asmx"/>
            <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
            <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
            <add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/>
            <add verb="POST,GET,HEAD" path="admin/elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
        </httpHandlers>

<location path="admin">
    <system.web>
        <authorization>
            <allow users="admin@testing.com"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

First I logged in as user@testing.com and tried to access the http://localhost:58961/admin/elmah.axd file and I am rightly being redirected to the Login.aspx page. Next I logged in as admin@testing.com and was able to access the elmah file at http://localhost:58961/admin/elmah.axd . Now I logged in again as user@testing.com and I was able to access the emlah file now. What is the reason for this behavior?

Answer 1

It would appear that you still had a valid session key from your "admin@testing.com" account. This may have been from a browser window, or from how asp.net handles authentication.

sometime there can be a case where the asp.net authentication ticket is market as expired, however the cookie has not yet (because of sliding expiry)