To configure your ASP.NET web application to use Forms for authentication, add this to your Web.Config
<configuration> <system.web> <authentication mode="Forms"> <forms loginUrl="/login.aspx" timeout="30"/> </authentication> </system.web> </configuration>
Then, to specify which directories and/or files require (or don’t require authentication), add this to your Web.config
<configuration> <system.web> <authentication mode="Forms"> <forms loginUrl="/login.aspx" timeout="30"/> </authentication> </system.web> <location path=""> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <location path="anon"> <system.web> <authorization> <allow users="?"/> </authorization> </system.web> </location> </configuration>
In the above configuration, the first <location> element specifies that all directories and files will be denied if the user hasn’t logged in. The second <location> element specifies that the directory named “anon” (and all of its children) are allowed anonymous access (i.e. users do not need to log in in order to access those directories and files.
Note that the <authentication> element and the <location> element work together. The <authentication> element specifies that forms will be used to log the user in AND will automatically direct the user to the specified login page if/when the user goes to a secure directory or file. The <location> element(s) on the other hand, specify which directories and files are accessible or not.
A word from Microsoft
The quote below was taken from MSDN article entitled “ASP.NET Authentication“..
The Forms authentication provider is an authentication scheme that makes it possible for the application to collect credentials using an HTML form directly from the client. The client submits credentials directly to your application code for authentication. If your application authenticates the client, it issues a cookie to the client that the client presents on subsequent requests. If a request for a protected resource does not contain the cookie, the application redirects the client to the logon page. When authenticating credentials, the application can store credentials in a number of ways, such as a configuration file or a SQL Server database. For more information, see Forms Authentication Provider.
Note An ISAPI server extension only handles those resources for which it has an application mapping. For example, the ASP.NET ISAPI server extension only has application mappings for particular resources, such as .asax, .ascx, .aspx, .asmx, and .config files to name a few. By default, the ASP.NET ISAPI server extension, and subsequently the Forms authentication provider, does not process any requests for non-ASP.NET resources, such as .htm, .jpg or .gif files.
Makes it possible for custom authentication schemes using arbitrary criteria.
Can be used for authentication or personalization.
Does not require corresponding Windows accounts.
Is subject to replay attacks for the lifetime of the cookie, unless using SSL/TLS.
Is only applicable for resources mapped to Aspnet_isapi.dll.