Geeks With Blogs
New Things I Learned

I was playing around with Live ID Controls and trying to do a sample project to have my page integrate both Live ID authentication and my own forms-based authentication.  This reminds me of the first .NET project that I did way back...

Rewind time...

Back in 2001, I got involved in creating a new web page to allow our clients to send their files to us, and we decided to use .NET (still in Beta 1 at the time).  I learned about using Forms-based authentication, which was nice since accesses to any page other than the login page will automatically be redirected back to the login page.  But we wanted to provide a password recovery page as well, and looking as hard as I can, I could not find a way to set exception on pages (in the same web project) to not use the forms-based authentication, which we like to have for all other pages.

I was annoyed by that and in the end admitted defeat and ended up creating a separate (1 webform) project that contains the password recovery page.

Fast forward in time...

I haven't done much web development in the past 4 years, mostly desktop client apps, and my playing around with Windows Live ID reminded me of that challenge.  Distracted, I set out to seek if I can find an answer this time, especially since I know with the set of login controls in ASP.NET 2.0, it has a password recovery control as well.  I went to MSDN and start reading on those controls, read on the authentication / authorization elements in web.config, dug around a bit, and found my answer.

Apparently there's a <location> element that you can apply to specify a path (directory or actual file) that you can then specify different authorization mechanism.  The kicker was that the element is not a child of <system.web>, rather (for my need) it will become a parent of <system.web>.  Oh yeah, it's also new in .NET 2.0.

So, without further ado, the following config will allow a page (PasswordRecovery.aspx) to be accessed without any authentication, while still retaining Forms-based authentication for all the other pages.

 <location path="PasswordRecovery.aspx">
        <allow users="?" />
    <authentication mode="Forms" >
      <forms loginUrl="UserLogin.aspx" />
      <deny users="?" />
    <!-- Other configuration settings -->

You can provide a directory path instead to have all the webforms in that directory be free of Forms-based authentication.  I'm somewhat glad to get this particular piece of knowledge, because it has been nagging me for quite a long time.  In any case, the solution doesn't quite work for the website I worked on - this solution only works for .NET 2.0 and up, and the website (still running strong) is still using .NET 1.1.  So if anyone knows how to do this in 1.1 (or 1.0), I would appreciate the info.

Posted on Saturday, January 26, 2008 7:23 AM ASP.NET | Back to top

Comments on this post: Allow other pages to be anonymously viewed with Forms Authentication

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Muljadi Budiman | Powered by: