Configuring Windows Auth & Forms Auth in Asp.Ne
Hi, I've configured a web app to use windows authentication and also set up two separate subdirectories to use forms authentication. It appears to work fine but I have never seen a sample that demonstrates both in the same web.config and I don't like assuming i've done this correctly and securely.

Please take a look at the following from my web.config and let me know what you think(its not the full config-- just stripped down to its essentials w/ no attributes) Its pretty basic, i just use a location element for each sub-dir and then set the auth mode inside of it. Thanks!

Hi, I've configured a web app to use windows authentication. Two of the app's subdirectories
are configured as applications in IIS and the mainsite's web.config defines those subdirs to use forms authentication. It appears to work fine but I have never seen a sample that
demonstrates both in the same web.config (all the samples show a
snippet outside the context of the entire web.config) I don't like
assuming i've done this correctly and securely.

Please take a look at the following from my web.config and let me
know what you think. The approach is pretty basic i just use a
location element for each sub-dir and then set the auth mode inside
of it.

The Directory Structure looks like this:

|---\MainSite(Configured as An App in IIS)
| +---Secure1(Configured as An App in IIS)
| +---Secure2(Configured as An App in IIS)
| +---MainSiteChild1
| +---MainSiteChild2
|web.Config(in mainSite's Root)

A stripped down version of the web.config settings:
line1: <?xml version="1.0" encoding="UTF-8" ?>
line2: <configuration>
line3: <system.web>
line4: <authentication mode="Windows" />
line5: <authorization>
line6: <allow users="*" />
line7: </authorization>
line8: </system.web>

line10: <location path="SecureArea1">
line11: <system.web>
line12: <authentication mode="Forms">
line13: <forms loginUrl="login.aspx" />
line14: </authentication>
line15: <authorization>
line16: <deny users="?" />
line17: </authorization>
line18: </system.web>
line19: </location>

line21: <location path="SecureArea2">
line22: <system.web>
line23: <authentication mode="Forms">
line24: <forms loginUrl="login.aspx" />
line25: </authentication>
line26: <authorization>
line27: <deny users="?" />
line28: </authorization>
line29: </system.web>
line30: </location>

What I think that this mix of settings acheives is the same
thing as if the Secure1 & Secure2 subdirectories had their own web.config files.

Here's a good article about this exact topic but it uses
the "maverick" web.configs in sub dirs approach:
http://www.theserverside.net/articles/showarticle.tss?
id=FormAuthentication

this looks ok to me as far as you take care of securing your forms
authentication. I mean securing forms authentication cookie and role list.
any request to subfolders, the location element in web.config clearly
overrides windows authentication.

Av.

[quoted text, click to view]