Forms Authentication web.config set up

Question

Is this specification correct in the root web.config file? I haven't used a child web.config in the protected folder.

<system.web>
  <authentication mode="Forms">
    <forms name=".ASPXAUTH" loginUrl="">
    </forms>
  </authentication>
</system.web>

Then another specification for system.web also in root web.config:

<location path="to protected folder">
  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>

Answer 1

You should setup the web.config with the following elements.

<configuration>
    <system.web>
        <authentication mode="Forms">
          <forms name="SiteName" path="/" loginUrl="~/Login.aspx" protection="All" timeout="30" />
        </authentication>
    </system.web>
</configuration>

You can protect folders by placing a web.config that denies anonymous access.

<configuration>
  <system.web>
    <!-- Place in a sub folder that you want to protect using Forms Authentication -->
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
</configuration>

Answer 2

Web.config is cascaded in child folders, your assumption is correct, use login url

<authentication mode="Forms">
    <forms defaultUrl="~/Step1.aspx" loginUrl="~/Signup.aspx" slidingExpiration="true" timeout="1000">
      <credentials passwordFormat="Clear">
        <user name="admin" password="123.admin"/>
      </credentials>
    </forms>
</authentication>
<authorization>
    <allow users="admin" />
    <deny users="?"/>
</authorization>