I've created new web application. Vs generated login, register and similar pages. In web.config it put authentication type "Forms". I expected that all request would be redirected to Login page. And yet I can easily navigate to Home and About pages.
Why is that? How to make unauthenticated user to be redirected to Login page? I wonder if I add new pages, will they have same behaviour as just showing themselves to anybody?
You may need to check for authentication on each page you create
if(!User.Identity.IsAuthenticated)
{
FormsAuthentication.RedirectToLoginPage();
}
There are two ways to limit the pages to authenticated users.
The one is programmatically, the other is by using the web.config
Starting with web.config on this line you can limit what users can see and what, this is the line that control that:
<authorization>
<allow users="?" />
</authorization>
and the details are here: http://msdn.microsoft.com/en-us/library/wce3kxhd(VS.100).aspx
By placing in a directory a web.config with this inside you block anyone from see anything.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
and then you add additional permission to let some of them to see.
Other way is to go pro grammatically in each page you need authentication and add a code that check if this is true or not HttpContext.Current.User.Identity.IsAuthenticated
And there are the global.asax that you can make a broad check on the protected void Application_AuthenticateRequest(Object sender, EventArgs e) function that is called for every page.
Please note that if you have set requireSSL=true on the forms, then the Identity.IsAuthenticated is return correct results only on secured ssl pages, on all other pages return false.
And one relative question: Can some hacker steal the cookie from a user and login with that name on a web site?
