i have 2 pages : Login.aspx and Satis.aspx. i redirected from Login.aspx to Satis.aspx if authentication is correct . if i signout from satis i redirected to Login.aspx. But if i write satis.aspx’ url on web scanner i entered satis.aspx. But i am not sign in Satis.aspx. i should’t enter Satis.aspx directly.
my web config:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" path="/" protection="All">
<credentials>
<user name="a" password="a"></user>
</credentials>
</forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="~/ContentPages/Satis/Satis.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>Login.aspx.cs:
protected void lnkSubmit_Click(object sender, EventArgs e)
{
if(FormsAuthentication.Authenticate(UserEmail.Value,UserPass.Value))
{
FormsAuthentication.RedirectFromLoginPage
(UserEmail.Value, PersistForms.Checked);
}
else
Msg.Text = "Invalid Credentials: Please try again";
}Satis.aspx
protected void LogoutSystem_Click(object sender, EventArgs e)
{
FormsAuthentication.SignOut();
Response.Redirect("~/Login/Login.aspx");
}
I think you should use “deny users=”?”” instead of “allow users=”*”” in your web.config file
[*] means all users even those who did not pass authentication
[?] means only users who passed authentication