Forms Authentication question: How to have some pages open and some requiring forms authentication

[Eric]

I am trying to build an app where the stuff in the root directory is open to
all, but anything under the Restricted directory requires you to login and I
want to use Forms to do it. I'm having trouble getting the web.config to
work properly.

First I tried to have a second web.config in the sub directory with
authentication and authorization set to forms, but it blew up.
Next, I tried to modify the root web.config in the following manner wanting
it to only force a login when trying to navigate into the sub directory but
it takes me to the login right away:
I thought setting the path to the sub directory would restrict it to pages
in the sub directory but it's not working.
<authentication mode="Forms" >

<forms loginUrl="FormsAuthenticated/login1.aspx" name="AuthCookie"
timeout="60" path="/FormsAuthenticated"></forms>

</authentication>



<authorization>

<deny users="?" />

<allow users="*" />

</authorization>

 

[Dan]

Try this:

In your root web.config

<authentication mode="Forms">
<forms name="MyAuth" loginUrl="/public/Login.aspx" protection="All"
timeout="60" />
</authentication>

Then, in your secure folder, add a web.config which contains just this:

<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>

Hope this helps, Dan.

 

[Tommy]

For each ASP.NET web application, you can only set the authentication
in the root Web.Config. However, each subfolder can have a Web.Config
with different authorization settings.

This is what I would do. Keep the Forms authentication settings in the
root Web.Config. In the root Web.Config, set the "Authorization" to
allow all access.

<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>

Now, for folders that you want to restrict access, create a Web.Config
that contains only the "Authorization" section, and deny anonymous
access.

<authorization>
<deny users="?" />
<allow users="*" /> <!-- Allow all users -->
</authorization>

Now, the forms authentication will only restrict access to files with
extensions that are mapped to the ASP.NET ISAPI DLL. All other file
extensions will not be protected by the forms authentication.

For example, the forms authentication will protect .aspx files, but
not .htm files. To protect files with non-ASP.NET extensions, you can
go to the IIS manager, and map the file extension you want to protect
to the ASP.NET ISAPI DLL.

For example, if you want to protect .htm files with forms
authentication, you would map the .htm file extenstion to the ASP.NET
ISAPI DLL.

Tommy,