ASP.NET Forms Authentication

by

I have the following ASP.NET Forms Authentication configuration:

<system.web>
  <authentication mode="Forms">
    <forms name="MembershipCookie" 
           loginUrl="Login.aspx" 
           protection="All" 
           timeout="525600" 
           slidingExpiration="true" 
           enableCrossAppRedirects="true" 
           path="/">
    </forms>
  </authentication>
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>
<location path="Home.aspx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location

If an anonymous user visits the site and requests home.aspx should they be denied access and kicked to the Login.aspx page because the first rule <deny users="?" /> will match and further processing will stop?

The site is running on IIS7.5, ASP.NET 4.0 and the application pool is configured for Integrated Pipeline mode.

Update:

The reason for this question was to sanity check my understanding of ASP.NET 4.0’s Forms Authentication behaviour (which was actually correct). There is a related follow up question which describes what looks like a bug in a hotfix (which is also rolled into Windows 2008R2 SP1) – KB980368:

ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication

Contents hide
Answers:
Method 1
Method 2

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

If an user is accessing Home.aspx , it will use the configuration section for Home.aspx specified by <location /> and hence the user will not be kicked out to Login.aspx .

Method 2

If a user access Home.aspx then the second rule will be applied i.e.

<location path="Home.aspx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

The point to note here is: * tells that any authorized user (having any or no role assigned) could access the page, but ? tells unauthorized user could not access the page.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x