Forms authentication

[Jof]

I have a very badly behaving forms authentication page.

For some it reason it protects .ASPX pages but not .htm ones?

Any ideas?

 

[memememe]

makes sense. The forms authentication is like a filter done by the .net
engine on IIS, so IIS doesnt even send pages to the .net engine that arent
mapped to hte .net engine. So this means that only things like .aspx and
similar are protected by it. Any .htm, .js, .gif, etc are not protected by
it.
I personally dont like this, and actually dont like most of the
configuration of HttpModules and Authentication, I was too used to making
nice little servlets and filters!

 

[Nicholas Paldino [.NET/C# MVP]]

Jof,

There are two things going on here. First, in the web.config file for
the application, you have to make sure that the <authorization> element will
deny people who are not authenticated (using a deny rule of "?").

On top of that, you will have to make sure that the ASP.NET ISAPI
extension is mapped to handle .HTM and .HTML pages. Otherwise, IIS will
just process it normally and serve it up.

Hope this helps.