We have a directory structure like this: wwwroot\<unsecure>\<secure>
Users click a link on a simple HTML page in the <unsecure> directory to request HomePage.aspx in the <secure> directory, which contains a forms-authenticated ASP.NET application. The system redirects them to wwwroot\<unsecure>\<secure>\LoginForm.aspx They log in, and HomePage.aspx appears. Works perfectly. HOWEVER, if the user leaves a page of the application open long enough for the session to expire, and then tries to use the page, the system redirects the request to wwwroot\<unsecure>\<unsecure>\LoginForm.aspx There is no such path, and the user gets a "Resource not found" HTTP 404 error. Where is the system getting this non-existant URL? ADDITIONAL INFORMATION: web.config looks like this: <authentication mode="Forms"> <forms name="myCookieName" loginUrl="LoginForm.aspx" protection="All" timeout="30" path="/"></forms> </authentication> The <unsecure> directory is just simple IIS, not even configured as an IIS application. It contains only a simple HTML page and the images and css for it. The directory is set for anonymous and windows, and the anonymous user is the default IUSR_MACHINE. The <secure> directory inside it is configured as an IIS application and includes web.config and the rest of our ASP.NET application. It is set for anonymous and windows. The anonymous user is a domain username created for the application. The same user is configured in machine.config - in processModel we have replaced machine/autogenerate with domainusername/strongpassword - as per MS recommendation in Building Secure ASP.NET Applications. You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
