Forms Authentication not protecting html files

Hi Experts I have a sub folder with .aspx and .html files. I have Forms Authentication set up in such a way to allow access to the entire site but restrict access to an admin folder. I have noticed that navigating to the full path of an HTML file inside the admin folder allows me access however all .aspx files operate as expected i.e. redirect to login page if user is not authenticated. Any ideas?

Root web.config is as follows;

    <authentication mode="Forms">
      <forms name="appNameAuth" loginUrl="login.aspx" timeout="30" defaultUrl="~/Admin/Tools.aspx">
      </forms>
    </authentication>
    <authorization>
      <allow users="*" />
    </authorization>

  </system.web>

  <location path="Admin">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>

Open in new window

LVL 1
takwirirarIT Projects ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun KlineLead Software EngineerCommented:
Change the extension of the pages to .aspx. ASPX pages are handled through an add-on in IIS, while HTML pages are handled directly by IIS.
0
takwirirarIT Projects ManagerAuthor Commented:
Hi Shaun, thanks for that, what would happen then if I had other file types to be protected that I could not change to .aspx without breaking they way they work e.g. a .PDF file?
0
Shaun KlineLead Software EngineerCommented:
One suggestion is to add the following to the system.webserver section of your web.config file:
<modules runAllManagedModulesForAllRequests="false">
      <remove name="FormsAuthenticationModule" />
      <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
      <remove name="UrlAuthorization" />
      <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
      <remove name="RoleManager" />
      <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
      <remove name="DefaultAuthentication" />
      <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>

Open in new window


The first module handles the forms authentication that you are already doing. The second module handles URL authentication (Microsoft website.
The third module handles role authentication, if you are using it.
The fourth module verifies that the user has been authenticated.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
takwirirarIT Projects ManagerAuthor Commented:
Wow!!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.