If you’ve got a website and this website contains a Login.aspx and a Default.aspx page in the root.

The simplest way to deny all unauthenticated user access to the website is adding the following to you’re Web.config:

 <system.web>
    <authentication mode="Forms">
      <forms loginUrl="Login.aspx"
           protection="All"
           timeout="30"
           name=".ASPXAUTH"
           path="/"
           requireSSL="false"
           slidingExpiration="true"
           defaultUrl="Default.aspx"
           cookieless="UseDeviceProfile"
           enableCrossAppRedirects="false" />
    </authentication>
    <authorization>
      <deny users="?" />
    </authorization>
    <membership>
      <providers>
        <clear />
        <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
      </providers>
    </membership>
 </system.web>

 

This ensures that unauthenticated user can only access the Login.aspx and no other resources, accept the resources needed by the Login.aspx. So if the Login.aspx uses a /Images/Logo.png this images will show on the Login.aspx. Accessing the image directly by an unauthenticated user will redirect this user back to the Login.aspx page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.