Thanks Mike, these are the ones we've tried:
loginUrl="LoginForm.aspx" Initial login OK, but after session end redirect goes to invalid: /<unsecure>/<unsecure>/loginForm.aspx NOTE: this is the one we'd most like to use to minimize installation hassles. loginUrl="..\<secure>\LoginForm.aspx" Initial login OK, but after session end redirect goes to invalid: /<unsecure>/<unsecure>/loginForm.aspx loginUrl="http:\\localhost\<unsecure>\<secure>\LoginForm.aspx" Initial login fails, HTTP 404 error reports trying to access /<unsecure>/<secure>/loginForm.aspx NOTE: this path (as much as error msg shows) is correct, but being reported as HTTP 404! loginUrl="<unsecure>\<secure>\LoginForm.aspx" Initial login fails, HTTP 404 error reports trying to access /<unsecure>/<unsecure>/loginForm.aspx loginUrl="<unsecure>/<secure>/LoginForm.aspx" Initial login fails, HTTP 404 error reports trying to access /<unsecure>/<unsecure>/loginForm.aspx loginUrl="<secure>\LoginForm.aspx" Initial login fails, HTTP 404 error reports trying to access /<unsecure>/<secure>/<secure>/LoginForm.aspx loginUrl="http:\\<servername>\<unsecure>\<secure>\LoginForm.aspx" No attempt at initial login because Windows integrated security login pops up loginUrl="\<unsecure>\<secure>\LoginForm.aspx" No attempt at initial login because Windows integrated security login pops up Per those last two, our authorization section includes this rather schizophrenic declaration: <authorization> <deny users="?" /> <allow users="*" /> </authorization> We found this repeated in a number of Microsoft and non-Microsoft examples for our situation (forms with AD authentication) so we've used it. -----Original Message----- From: Moderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED]] On Behalf Of Michael Giagnocavo Sent: Thursday, January 30, 2003 12:49 PM To: [EMAIL PROTECTED] Subject: Re: [ADVANCED-DOTNET] Forms authentication redirects to non-existant URL Maybe you should specify a relatively more absolute path for the loginUrl? (/unsec/sec/login.aspx)? -mike -----Original Message----- From: Moderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Sent: Thursday, January 30, 2003 10:05 AM To: [EMAIL PROTECTED] Subject: Forms authentication redirects to non-existant URL We have a directory structure like this: wwwroot\<unsecure>\<secure> Users click a link on a simple HTML page in the <unsecure> directory to request HomePage.aspx in the <secure> directory, which contains a forms-authenticated ASP.NET application. The system redirects them to wwwroot\<unsecure>\<secure>\LoginForm.aspx They log in, and HomePage.aspx appears. Works perfectly. HOWEVER, if the user leaves a page of the application open long enough for the session to expire, and then tries to use the page, the system redirects the request to wwwroot\<unsecure>\<unsecure>\LoginForm.aspx There is no such path, and the user gets a "Resource not found" HTTP 404 error. Where is the system getting this non-existant URL? ADDITIONAL INFORMATION: web.config looks like this: <authentication mode="Forms"> <forms name="myCookieName" loginUrl="LoginForm.aspx" protection="All" timeout="30" path="/"></forms> </authentication> The <unsecure> directory is just simple IIS, not even configured as an IIS application. It contains only a simple HTML page and the images and css for it. The directory is set for anonymous and windows, and the anonymous user is the default IUSR_MACHINE. The <secure> directory inside it is configured as an IIS application and includes web.config and the rest of our ASP.NET application. It is set for anonymous and windows. The anonymous user is a domain username created for the application. The same user is configured in machine.config - in processModel we have replaced machine/autogenerate with domainusername/strongpassword - as per MS recommendation in Building Secure ASP.NET Applications. You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com. You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com. You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
