authentication doesnt deny access to non aspx (htm, pdf, img, etc) files
Posted on 2005-04-19
When you specify authentication in a web.config using (as a simple example):
<forms name="AuthCookie" path="/" loginUrl="login.aspx" protection="All" timeout="30">
<user name="userA" password="aPassword" />
<deny users="?" />
and then navigate to an aspx then you get redirected to the login.aspx
However, when you navigate to a non-aspx page, such as test.htm, test.pdf, test.gif or test.asp you are allowed access.
I previously worked on a project based on ASP (classic) that used Siteserver membership authentication, also via forms login. This works fine and would intercept ANY request and redirect to login if authentication failed.
I have read that a work around is to alter the IIS configuation so that the files (.gif, .pdf, etc) are processed by the aspnet_isapi.dll, but this seems far from ideal
it would also not work for any file that required processing by a different dll (ie .asp files, for which we will have some, which need to be processed by asp.dll)
Is there something that I am missing?
Is it fixed in asp.net 2.0 (am using 1.1)?
if not, any alternatives people have found as this is a bit useless and worse off than back in the grey old days of NT / IIS4 / SiteServer!!