How do I allow anonymous access to just one controller?

Question

I am using MVC 2.0 with forms authentication. I want to allow public access to one controller called "Logout". Currently whenever I browse to it I get bounced to Login.

<authentication mode="Forms">
  <forms loginUrl="Login/Login"  
         protection="All" timeout="30"
         name=".ASPXAUTH" 
         path="/" 
         requireSSL="false" 
         slidingExpiration="true"
         defaultUrl="Token/Create" 
         cookieless="UseDeviceProfile" 
         enableCrossAppRedirects="false" />
</authentication>

<!-- Deny Anonymous users. -->
<authorization>
  <deny users="?" />
</authorization> 

---

Update: I am using WIF and each time the user arrives at the registration page (anonymous access) I need to sign them out, to ensure that they have the latest claims in their token, and are not just allowed in with a stale token. Their claims are coming in via the request to the registration page.

Answer 1

As SLaks mentioned, there should be no need for a non-logged-in user to access the Logout action. But, if you want to enable anonymous access to controllers / actions you have to enable it in your Web.Config:

<location path="~/Logout">
  <system.web>
    <authorization>
      <allow users="?" />
    </authorization>
  </system.web>
</location>

A better approach for a pure MVC app is to use the Authorize attribute and enable access to all users in the web.config.

Answer 2

you are better off using attributes on your controllers and/or controller actions than specifying authorization in config. [Authorize] for the actions you want limited to authenticated users and then the ones without the attribute are publicly available.