ASP.NET Membership: CSS being blocked by Deny users, page doesn't render correctly?

Question

I have a page that functions correctly but when i issue a deny user for the whole site it redirects me to the logon page which seems to work BUT the css is not working. Hence there is no styling..

Can anyone help? My web.config is like so

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

<authorization>
  <deny users="?" />
  <allow users="*" />
</authorization>

This logon page uses a site.master has the following style sheet but fails to style the document when the above is included

 <link href="../../Content/Site.css" rel="stylesheet" type="text/css" />

To confirm i i remove the part above in web.config then it works hence the css is included and beng styled

I thought it might be something to do with the css being denied .. so i included the following but it makes no difference. I know the site.master is being rendered in the logon page because i see the headers etc..

 <location path="~/Content">
   <system.web>
     <authorization>
       <allow users="*" />
     </authorization>
   </system.web>
 </location>

I have also used firebug in firefox to view the css, if the authorization tags are included in web.config then it states there is no CSS. If i remove the tags then i can see the css and the page is rendered correctly.

I must be missing something. Any help really appreciated

thanks in advance

EDIT

Fiddler states that the site.css is moved??

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8  
Location: /InmoCasaWebClient/Account /LogOn?ReturnUrl=%2fInmoCasaWebClient%2fContent%2fSite.css
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 17 Aug 2010 17:19:12 GMT
Content-Length: 201

<html><head><title>Object moved</title></head><body>

Object moved to here.

Answer 1

Use fiddler to see exactly what is happening to that resource? May shed light on the mystery. It should 403 if it is unauthorized. May be 404ing? If it's not in a virtual directory you could just write:

<link href="/Content/Site.css" rel="stylesheet" type="text/css" />

(directory traversing is flimsy)

Update - now more info

Nice fiddler use ;) Anyway, since it is 302ing (temporarily redirecting) your css files to require validation too the problem is your forms authentication.

You are probably running into the runAllManagedModuleForAllRequest="true" problem. Read that post for info.

Or set the all access to the Content folder to allow access. You're almost there but it would need to be:

<location path="Content">             
   <system.web>             
     <authorization>             
       <allow users="*" />             
     </authorization>             
   </system.web>             
 </location> 

Answer 2

i had a similar problem. if it helps, i added permission (IUSR or depending on your OS) to the root web directory, it worked.

Answer 3

The 302 is from the login framework redirecting you to login when requesting the CSS.

The trick here is your MVC app should not be configuring the security via web.config but rather you should be using the [Authorize] attributes on your controllers which will not interfere with your CSS.