Asp.net 4.0 Forms Authentication and FriendlyUrls

Question

Referente: Microsoft.AspNet.FriendlyUrls

I am using forms authentication and FriendlyUrls. I have a subdirectory named "Account" within it contains the file "Register.aspx". I need to grant permission to the file "Register.aspx" and deny permission for all other files via the web.config. I've tried various settings, but the file Register.aspx not get permission.

web.config

<system.web>
    <authentication mode="Forms">
      <forms loginUrl="Account/login" name="LOGIN" defaultUrl="Account/Logged" timeout="15" cookieless="UseDeviceProfile" protection="All" slidingExpiration="true" />
    </authentication>
  </system.web>

  <location path="Account">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>

  <location path="Account/Register">
    <system.web>
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>

Answer 1

I had this same issue with FriendlyURLs and Forms authentication (OWIN though). Trying to access authorized content page attempted to redirect to /Account/Login?returnUrl=%2FAccount%2FLogin, only the redirection got stuck in an infinite loop until the query string exceeded the maximum length !!! Only way I could find around it was to put the login page (or any other pages that allow anon access) in a folder of its own, and grant access to that folder instead of the page itself. So if I had /Account/Login, I would add:

  <system.web>    
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>

  <location path="Account">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

I see you have added a rule for the /Account path, but have set it to deny. Not sure if you had changed that to Allow locally or not...

Although I'm using MS OWIN's forms authentication library, not the default ASP.Net built-in one, I expect the above will work for the standard one as well. FYI, my forms authentication auth setup looks like this:

    public void ConfigureAuth(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            AuthenticationMode = AuthenticationMode.Active,
            LoginPath = new PathString("/Account/Login"),
            LogoutPath = new PathString("/Account/Logout"),
            ExpireTimeSpan = TimeSpan.FromHours(12),
            SlidingExpiration = true,
            CookieName = "MyCookieName.Session",
            CookieSecure = CookieSecureOption.SameAsRequest,
            // Required for AJAX calls
            CookieHttpOnly = false
        });
    }