TIP: How to lock down the store to authenticated users only

For general questions and discussions specific to the AbleCommerce GOLD ASP.Net shopping cart software.
Post Reply
User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

TIP: How to lock down the store to authenticated users only

Post by AbleMods » Tue Jan 16, 2018 2:21 am

A client wants a B2B site that does not sell to the general public. So the store needs to require authentication on every page, even the home page. This prevents both anonymous user from shopping the store as well as search engine bots from indexing the store catalog.

The solution is poorly documented on the internet, but fairly simple once you do it. In the root of the store, there is a master configuration file known as 'web.config'. This file drives all of the ASP.Net settings necessary for a smooth running AbleCommerce store. It also just so happens to handle the primary authentication security settings for the entire Able store. So this is where we make a simple change and the whole store now requires authentication before a page can be viewed.

First, make a backup copy of the web.config file in the root of the store. If something goes wrong, the whole store will go down so you need a quick way to get things back online while you troubleshoot.

Once you have your backup copy made, edit the web.config file. Locate this line:

Code: Select all

<system.web>
and replace it with this:

Code: Select all

    <location path="App_Themes">
        <system.web>
            <authorization>
                <allow users="*"/>
            </authorization>
        </system.web>
    </location>
    <location path="Scripts">
        <system.web>
            <authorization>
                <allow users="*"/>
            </authorization>
        </system.web>
    </location>
  <system.web>
      <authorization>
          <deny users="?"/>
      </authorization>
Save the changes and upload to the root of the site overwriting the existing file. The website will restart, so don't panic if it takes 30-60 seconds to show in your browser. Once it does appear, now every page in the site will force the standard Able login page.

Pro Tip #681: Never lose the password to your blog where you keep all your tips. Or you might be forced to post important pro tips in a forum :D
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

Post Reply