What happens when you need to protect your whole site so that only Authenticated users can access our site.

Since I received this question twice this week I thought I’d share a tip.

To allow ONLY authenticated access to your site using Forms authentication you can add a section like this on e to your application’s web.config file.

<authentication mode="Forms">
<forms loginUrl="Login.aspx" name="Login" protection="All"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>

 

The problem is that it seems lots of folks don’t want users to automatically redirect to the Login.aspx page when they navigate to their site home page.

To require authentication for all the pages in your web application EXCEPT the home page (Default.aspx)) 

Also add a location section to your web.config file that explicitly allows anonymous users to access JUST the default.aspx page.

<location path="default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

You can use the web.config location element to specify folders as well as pages which makes it a very powerful construct.

 

Technorati Tags: Microsoft ASP.NET Security Tips & Tricks