How can I have ASP.NET automatically redirect non-logged in Forms users to the login page?

Question

I have an ASP.NET website.

I want users who are not logged in to be automatically (re)directed to the login page, for example,

~/Account/Login.aspx

As it is now, users are able to visit pages (for example, default.aspx) without being logged in.

---

Note: I am operating on the (perhaps incorrect) assumption that ASP.NET has its own authentication cycle that happens behind my back before every (and any) page loads.

---

Update @asawyer provided a link that, while not helping to answer the question, did provide a pretty graphic:

Well, what have you tried?

I have a web.config file that enables Forms authentication:

<?xml version="1.0"?>
...
<configuration>
   ...
   <system.web>
      <authentication mode="Forms">
         <forms loginUrl="~/Account/Login.aspx" name=".ASPXFORMSAUTH" slidingExpiration="true"/>
      </authentication>
      ...
   </system.web>
   ...
</configuration>

When i browse to the "default" page, I am able to view it, for example,

GET http://localhost:53149/WebSite/ HTTP/1.1
Host: localhost:53149

And I'm get the page contents:

HTTP/1.1 200 OK
Server: ASP.NET Development Server/10.0.0.0

In other words, rather than being forced to login to the web-site, I am not being forced to log in to the web-site.

It might be related to the fact that my browser is running locally to the web-server; but I'm using Forms, not Windows (and not Passport and not None) authentication.

Bonus Reading

• An Overview of Forms Authentication (C#)
• MSDN: Forms Authentication Provider
• MSDN: ASP.NET Web Application Security
• ASP.NET Forms Authentication
• Require the user to log in to view a document using ASP.NET
• Protect some pages from direct access in ASP.NET
• FormsAuthentication Class

Answer 1

I found the answer.

Question: How do I automatically redirect non-logged in users to the login page?
Answer: Deny anonymous users access

---

Longer Explanation

In order to automatically redirect non-logged in users to login page, you need to deny anonymous access to "all" pages. This is done in the site's web.config file:

web.config

<?xml version="1.0"?>
<configuration>
   <system.web>
      ...
      <authorization>
         <deny users="?"/>
      </authorization>
   </system.web>
</configuration>

The special ? token is used to represent anonymous users.

This, when combined with telling Forms authentication where the "Login" page is:

<?xml version="1.0"?>
<configuration>
   <system.web>
      ...
      <authentication mode="Forms">
         <forms loginUrl="~/Account/Login.aspx" timeout="2880"/>
      </authentication>
      <authorization>
         <deny users="?"/>
      </authorization>
   </system.web>
</configuration>

means that any any anonymous users will be automatically redirected to the login page.

---

A question that seems to never have been asked before gets answered, and everybody lives.

Answer 2

If you wish to force for all pages all used to be first logged in, you can capture the authentication request on global.asax and make this programmatically as:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
    // This is the page
    string cTheFile = HttpContext.Current.Request.Path;

    // Check if I am all ready on login page to avoid crash
    if (!cTheFile.EndsWith("login.aspx"))
    {
        // Extract the form's authentication cookie
        string cookieName = FormsAuthentication.FormsCookieName;
        HttpCookie authCookie = Context.Request.Cookies[cookieName];

        // If not logged in
        if (null == authCookie)
        // Alternative way of checking:
        //     if (HttpContext.Current.User == null || HttpContext.Current.User.Identity == null || !HttpContext.Current.User.Identity.IsAuthenticated)
        {
            Response.Redirect("/login.aspx", true);
            Response.End();
            return;
        }
    }
}

This code is called on every page and checks all pages on your site.