I’m trying to protect some content on a web application from un-authenticated
users based on forms authentication.

So far I’ve added the extension (.swf) to the application configuration in
IIS. If I select the checkbox ‘Script engine’, all works fine except for the
fact that you can directly access the object by a specific url without
authentication, assuming you know the path. With the ‘Script engine’
disabled no one, including authenticated users, cannot access the resources.

I’ve reset the file permission on the site to default to no avail. The site
is running on Windows 2003 server using only anonymous access and an
application pool running with the identity of local system.

I am not authenticating the forms logon using the typical methodology of
“FormsAuthentication.RedirectFromLoginPage”, rather users are given an
encrypted URL that contains what access they are allowed. I am using
FormsAuthentication.SetAuthCookie(strEmail, false); to acknowledge the access.

The authentication appears to be work properly as I can test (e.g. bool test
= Context.User.Identity.IsAuthenticated;) with returns the correct results.

There appears to be a crucial issue I’m apparently missing.. Any Ideas?

Thanks,
Bill Belliveau