asp.net froms authentication always redirects

Question

My website should have some parts that can only be seen when the user is authenticated, some parts that are visibile to everyone.

The forms authentication always redirects the user to the login page no matter what page is visited. Does that mean I should not use forms authentication? How can I solve this issue?

Answer 1

For me, the problem was the MachineKey. It's required to decrypt/encrypt the cookie if you are doing that (for example: a web farm). Because the app couldn't decrypt the cookie, even though it was getting passed back and forth, the app acted like the cookie wasn't even there. Adding this setting to web.config fixed it for me:

<machineKey compatibilityMode="Framework20SP2" validationKey="some_hard_coded_long_key" decryptionKey="another_hard_coded_long_key" validation="SHA1" />

See this article for more on the machinekey.

Answer 2

Use <location> element in web.config to set which pages are protected. You need to remove the authorization from the whole web site set it for each protected page in the <location> element.
A common approach is to place all protected pages in a separate folder and specify the location path to that folder.
Another one is to have a class which inherits System.Web.Page and at the Init event to redirect the user to some page, if is not authenticated. Every page should then inherit this page.

<system.web>
    <authorization>
      <deny users="?"/>
      <allow users="*"/>
    </authorization>
  </system.web>
  <location path="public">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="login.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>