Forms Authentication on Subdirectories of App

[Grant Harmeyer]

I would like to have a directory that is Forms authenticated so that all
ASP.NET resources contained within the directory require a logged on user.
Per spec, I have to accomplish this through the use of the <location />
element in the web.config file. I have written the code that authenticates
the user against a DB and that works fine with the login page. However, when
I attempt to type in a URL for a file in that directory (that is not the
login page) and I have NOT logged in, the page is still served. So, the
authentication is not being checked. I haven't done anything with forms
authentication before, and I have it set up nearly the same as it is set up
in the Programming ASP.NET book by Dino Esposito, except of course for the
Web.Config file. I also don't see anywhere in Dino's book that the
Authentication is checked after the initial login.

The whole thing wouldn't be much of a problem if this was it's own app with
it's own Web.Config, but per spec... not that way.

Web.Config
-----------------------------------------
<location path="main/">
<system.web>
<authentication mode="Forms">
<forms loginURL="login.aspx"
name="MaintenanceLogin"
protection="Encryption"
timeout="20"
path="/" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<compilation defaultLanguage="C#">
<assemblies>
<add assembly="GnMaintain" />
</assemblies>
</compilation>
<customErrors mode="Off" />
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
<httpRuntime executionTimeout="90" maxRequestLength="4096"
useFullyQualifiedRedirectUrl="false" minFreeThreads="8"
minLocalRequestFreeThreads="4" appRequestQueueLimit="100" />
</system.web>
</location>

[Hernan de Lahitte]

I think the location path should be just path="main".
You can find a more extensive explanation of this topic here:
[url]http://www.theserverside.net/articles/printfriendly.aspx?l=FormAuthentication[/url]

Hernan L.


"Grant Harmeyer" <gn_harmeyer@hotmail.com> wrote in message
news:OKHCJ%23C8DHA.2676@TK2MSFTNGP10.phx.gbl...

> I would like to have a directory that is Forms authenticated so that all
> ASP.NET resources contained within the directory require a logged on user.
> Per spec, I have to accomplish this through the use of the <location />
> element in the web.config file. I have written the code that authenticates
> the user against a DB and that works fine with the login page. However,

when

> I attempt to type in a URL for a file in that directory (that is not the
> login page) and I have NOT logged in, the page is still served. So, the
> authentication is not being checked. I haven't done anything with forms
> authentication before, and I have it set up nearly the same as it is set

up

> in the Programming ASP.NET book by Dino Esposito, except of course for the
> Web.Config file. I also don't see anywhere in Dino's book that the
> Authentication is checked after the initial login.
>
> The whole thing wouldn't be much of a problem if this was it's own app

with

> it's own Web.Config, but per spec... not that way.
>
> Web.Config
> -----------------------------------------
> <location path="main/">
> <system.web>
> <authentication mode="Forms">
> <forms loginURL="login.aspx"
> name="MaintenanceLogin"
> protection="Encryption"
> timeout="20"
> path="/" />
> </authentication>
> <authorization>
> <deny users="?" />
> </authorization>
> <compilation defaultLanguage="C#">
> <assemblies>
> <add assembly="GnMaintain" />
> </assemblies>
> </compilation>
> <customErrors mode="Off" />
> <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
> <httpRuntime executionTimeout="90" maxRequestLength="4096"
> useFullyQualifiedRedirectUrl="false" minFreeThreads="8"
> minLocalRequestFreeThreads="4" appRequestQueueLimit="100" />
> </system.web>
> </location>
>
>