Protecting Elmah.axd


Elamh is a common tool to debug ASP.NET application. You can use Elmah in Azure Website, here is a nice blog

But by default Elamh.axd is available to all users. Here are quick steps to secure it using forms authentication.

  1. Protecting Elmah.axd using ASP.NET Authentication

    Add these lines at the end of web.config file

      <elmah>

        <!–

            allow remote access to elamh.axd

        –>

        <security allowRemoteAccess=true />

      </elmah>

     

      <location path=elmah.axd

                inheritInChildApplications=false>

        <system.web>

          <httpHandlers>

            <add verb=POST,GET,HEAD

                 path=elmah.axd

                 type=Elmah.ErrorLogPageFactory, Elmah />

          </httpHandlers>

          <!–

            allow only elmahuser to access elamh.axd

          –>

          <authorization>

            <allow users=elmahuser />

            <deny users=* />

          </authorization>

        </system.web>

        <system.webServer>

          <handlers>

            <add name=ELMAH verb=POST,GET,HEAD

                 path=elmah.axd

                 type=Elmah.ErrorLogPageFactory, Elmah

                 preCondition=integratedMode />

          </handlers>

        </system.webServer>

      </location>

  2. Create a user account 

    Add these lines within <system.web> node  in web.config file as shown

      

        <authentication mode=Forms  >

          <forms name=elmahdetails loginUrl=login.aspx>

            <credentials passwordFormat=Clear >

              <user name=elmahuser password=mycomplexpassword/>

            </credentials>

          </forms>

        </authentication>

        <authorization>

          <allow users = ? />

        </authorization>

     

      </system.web>

  3. Add Login.aspx page, and add this html tags

        <form id=”form1″ runat=”server”>

            <table>

                <tr>

                    <td>User Name:</td>

                    <td>

                        <asp:TextBox ID=”TextBox1″

                            runat=”server” />

                    </td>

                </tr>

                <tr>

                    <td>Password:</td>

                    <td>

                        <asp:TextBox TextMode=”Password”

                            ID=”TextBox2″

                            runat=”server” />

                    </td>

                </tr>

            </table>

            <p>

                <asp:Button ID=”cmdLogin”

                    runat=”server”

                    Text=”Logon”

                    OnClick=”cmdLogin_Click” />

            </p>

        </form>

  4. Add this in the code behind

            protected void cmdLogin_Click(object sender, EventArgs e)

            {  

                if (string.Compare(TextBox2.Text, “mycomplexpassword”) == 0 &&

                    string.Compare(TextBox1.Text, “elmahuser”) == 0)

                {

                    FormsAuthenticationTicket tkt;

                    string cookiestr;

                    HttpCookie ck;

                    tkt = new FormsAuthenticationTicket(1,

                        TextBox1.Text,

                        DateTime.Now,

                        DateTime.Now.AddMinutes(30),

                        true,

                        “your custom data”);

                    cookiestr = FormsAuthentication.Encrypt(tkt);

                    ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);

                    ck.Expires = tkt.Expiration;

                    ck.Path = FormsAuthentication.FormsCookiePath;

                    Response.Cookies.Add(ck);

     

                    string strRedirect;

                    strRedirect = Request[“ReturnUrl”];

                    if (strRedirect == null)

                        strRedirect = “default.aspx”;

                    Response.Redirect(strRedirect, true);

                }

                else

                    Response.Redirect(“login.aspx”, true);

            }

  5. Now try to access elmah.axd file, it should redirect to login.aspx page. Note : we are sending password in clear text

Comments (0)

Skip to main content