Roy Osherove

View Original

ASP.NET Authentication Question + Answer

I can't seem to find an answer to this:

Is it possible to use the tag in web.config to allow some of the pages in your site to be non-secure, meaning users can browse them without being redirected to the login page?

Update:

Well, It didn't take very long for the answers to arrive! Thanks to Fabrice And hElp Blog For providing me with ways to achieve this :) Here are the replies:

Fabrice:

Sure, after protecting your pages with the following configuration: 

<authentication mode="Forms">
<forms
    name=".ASPMyApp"
    loginUrl="Security/Login.aspx"
   
protection="All"
   
timeout="25" />
authentication>

<authorization>
 
<deny users="?" />
authorization>

you can authorize access to the Errors folder (for example) by adding this to the same web.config file.

<location pah="Errors">
  <system.web>
    <auhorization>
     
<allow users="*" />
    auhorization>
  system.web>
location>

You could also do the same by adding a web.config file in the Errors folder, which content would be:

xml version="1.0" encoding="utf-8"?>
<
configuration>
  <system.web>
   
<
auhorization
>
     
<allow users="*"
/>
    auhorization>
  system.web>
configuration
>

 

 

hElp Blog

Roy what I do myself is to put everything to be secure in a folder, duplicate the web config in this folder and modify the tags.

The main web config of your application has to allow everybody.

It works for me !