Here's a question I asked myself the other day for my side project that, for some reason kept eluding me.  Googling for any type of help returned either basic web.config settings or detailed explanations of how the web.config worked.  None however, gave me what I was looking for.  Looking back, this article that I read a while back had the answer but I was quick too overlook it because it didn't address my problem directly.

The question I had was this; on my secure site (protected by Windows FormsAuthentication) how would I allow certain pages to be excluded (I.e., ForgotPassword.aspx) from authentication?  Sounds easy enough and I know that it's possible, but what is the syntax for it?  Oddly enough, none of my past projects, personal or professional, had ever run across this scenario.

One way that I know of off hand to solve this problem is to create a directory, my case I called it \Common, and add a web.config to that location allowing access for everyone.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</configuration>

Side note for those of you that didn't know, each directory can have it's own web.config, each inheriting from the the web.config in the directory above it.  The top level web.config, the one we all primarily work with, inherits from machine.config, located in the \WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG directory (your version of the .NET framework may be different).

This directory access could also be done via the top level web.config as follows:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.web>
        <authentication mode="Forms">
            <forms name="AuthCookie" path="/" loginUrl="Login.aspx" protection="All" timeout="10" />
        </authentication>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>
    <location path="Common">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>
</configuration>

So, the above directory access worked, but I wasn't satisfied with it.  I want to modify my top level web.config to allow one or a few pages to be unsecured.  Creating unsecured directories to allow only a few pages access isn't efficient or clean for handling a small number of pages.  On the other hand, if I had a large number of pages, that solution would be optimal.

So low and behold, while working on an internal project yesterday (one of which I had yet to work on) I found the answer to my problem staring me in the face.  By adding location to the configuration node you can allow access to one or a handful of pages.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.web>
        <authentication mode="Forms">
            <forms name="AuthCookie" path="/" loginUrl="Login.aspx" protection="All" timeout="10" />
        </authentication>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>
    <location path="ForgotPassword.aspx">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>
</configuration>

An easy answer to an simple problem that nobody seemed to address directly.