Protecting Elmah.axd

Elamh is a common tool to debug ASP.NET application. You can use Elmah in Azure Website, here is a nice blog

But by default Elamh.axd is available to all users. Here are quick steps to secure it using forms authentication.

1. Protecting Elmah.axd using ASP.NET Authentication

   Add these lines at the end of web.config file

   <elmah>     <!--         allow remote access to elamh.axd     -->     <security allowRemoteAccess="true" />   </elmah>     <location path="elmah.axd"             inheritInChildApplications="false">     <system.web>       <httpHandlers>         <add verb="POST,GET,HEAD"              path="elmah.axd"              type="Elmah.ErrorLogPageFactory, Elmah" />       </httpHandlers>       <!--         allow only elmahuser to access elamh.axd       -->       <authorization>         <allow users="elmahuser" />         <deny users="*" />       </authorization>     </system.web>     <system.webServer>       <handlers>         <add name="ELMAH" verb="POST,GET,HEAD"              path="elmah.axd"              type="Elmah.ErrorLogPageFactory, Elmah"              preCondition="integratedMode" />       </handlers>     </system.webServer>   </location>

2. Create a user account 

   Add these lines within <system.web> node  in web.config file as shown

   <authentication mode="Forms" >       <forms name="elmahdetails" loginUrl="login.aspx">         <credentials passwordFormat="Clear" >           <user name="elmahuser" password="mycomplexpassword"/>         </credentials>       </forms>     </authentication>     <authorization>       <allow users = "?" />     </authorization>     </system.web>

3. Add Login.aspx page, and add this html tags

   <form id="form1" runat="server">         <table>             <tr>                 <td>User Name:</td>                 <td>                     <asp:TextBox ID="TextBox1"                         runat="server" />                 </td>             </tr>             <tr>                 <td>Password:</td>                 <td>                     <asp:TextBox TextMode="Password"                         ID="TextBox2"                         runat="server" />                 </td>             </tr>         </table>         <p>             <asp:Button ID="cmdLogin"                 runat="server"                 Text="Logon"                 OnClick="cmdLogin_Click" />         </p>     </form>

4. Add this in the code behind

   protected void cmdLogin_Click(object sender, EventArgs e)         {             if (string.Compare(TextBox2.Text, "mycomplexpassword") == 0 &&    string.Compare(TextBox1.Text, "elmahuser") == 0)             {                 FormsAuthenticationTicket tkt;                 string cookiestr;                 HttpCookie ck;                 tkt = new FormsAuthenticationTicket(1,             TextBox1.Text,                     DateTime.Now,                     DateTime.Now.AddMinutes(30),                     true,                     "your custom data");                 cookiestr = FormsAuthentication.Encrypt(tkt);                 ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);                 ck.Expires = tkt.Expiration;                 ck.Path = FormsAuthentication.FormsCookiePath;                 Response.Cookies.Add(ck);                   string strRedirect;                 strRedirect = Request["ReturnUrl"];                 if (strRedirect == null)                     strRedirect = "default.aspx";                 Response.Redirect(strRedirect, true);             }             else         Response.Redirect("login.aspx", true);         }

5. Now try to access elmah.axd file, it should redirect to login.aspx page. Note : we are sending password in clear text