1

I have the following ASP.NET Forms Authentication configuration:

<system.web>
  <authentication mode="Forms">
    <forms name="MembershipCookie" 
           loginUrl="Login.aspx" 
           protection="All" 
           timeout="525600" 
           slidingExpiration="true" 
           enableCrossAppRedirects="true" 
           path="/">
    </forms>
  </authentication>
  <authorization>
    <deny users="?" />
  </authorization>
</system.web>
<location path="Home.aspx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location

If an anonymous user visits the site and requests home.aspx should they be denied access and kicked to the Login.aspx page because the first rule <deny users="?" /> will match and further processing will stop?

The site is running on IIS7.5, ASP.NET 4.0 and the application pool is configured for Integrated Pipeline mode.

Update:

The reason for this question was to sanity check my understanding of ASP.NET 4.0's Forms Authentication behaviour (which was actually correct). There is a related follow up question which describes what looks like a bug in a hotfix (which is also rolled into Windows 2008R2 SP1) - KB980368:

ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication

Community
  • 1
  • 1
Kev
  • 118,037
  • 53
  • 300
  • 385
  • Check out http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx – Julius A Feb 22 '11 at 13:29
  • @JAngwenyi - thanks for the link, I thought that's what should happen. The question was a sanity check, see my latest post: http://stackoverflow.com/questions/5080837 – Kev Feb 22 '11 at 16:25

2 Answers2

3

If an user is accessing Home.aspx , it will use the configuration section for Home.aspx specified by <location /> and hence the user will not be kicked out to Login.aspx .

Bala R
  • 107,317
  • 23
  • 199
  • 210
2

If a user access Home.aspx then the second rule will be applied i.e.

<location path="Home.aspx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

The point to note here is: * tells that any authorized user (having any or no role assigned) could access the page, but ? tells unauthorized user could not access the page.

Waqas Raja
  • 10,802
  • 4
  • 33
  • 38