Asp.net / IIS authentication for static content (for example images) best practices

Question

I need to make a website with authentication of static content (images, html files, etc.)

I've already build a private section protected with a login form against a users database; but if a user knows the url of a static file of that section, it will be served anyway, logged in or not.

What are the best practices for protecting static content in asp.net?

I've found this article from 4 guys from rolla, it is suitable (it works only in IIS 7.0)?

Best practices for IIS 6.0?

---

EDIT: if i put

  <location path="ImagesPrivate">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>

this works well, but only for .aspx files, not images or other static contents.

Answer 1

If you want to use forms auth to protect non-.net content (such as static content) on IIS6 you have 2 choices.

One is but the content in a non-browsable location & build a handler to get the content. The other option is to use wildcard mapping.

You should probably test both approaches to see which best fits your use cases.