I have two virtual servers from two different hosting companies. Publishing the same MVC3 site on each server produces different results for a folder that is supposed to be protected by forms authentication. The files are of various extensions.
On one server, requesting the file redirects the user to the login page (correct behaviour for our app) but the other allows the downloads.
Both web.config files are the same for everything that’s relevant as far as I can see, so where does this get set?
TIA
Is the file type (for example somefile.xyz) mapped to asp.net or are you running an older version of IIS or in classic mode?
if .xyz is not mapped to asp.net then IIS will allow the download (in some cases – unknown extensions depending on the version of iis will result in a 404 for security purposes)
Are they different versions of IIS? If one is setup for classic mode (the worker process) or its an older version of IIS (6 for example) the file request won’t funnel through IIS unless you setup a wildcard mapping.
If it is running in integrated pipeline mode, then it will funnel through IIS and you would see the login (assuming users, auth, and forms auth are setup correctly)