asp.net authorization - deny all before login except the register page

Question

I'm using ASP.NET Authorization to deny users access to my site before logging in, but this is also blocking the Register.cshtml page. How do I sort out my authorizations to allow this page through?

<system.web>
<authorization>
      <deny users="?" />
    </authorization>
  </system.web>

  <location path="Content">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

  <location path="Register.cshtml">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

possible duplicate of Allow Anonymous to call certain action in asp.net mvc 3 — Amit

Satpal Satpal · Accepted Answer · 2013-07-10T10:57:53

IMHO, you should not use web.config to control the authentication of your application instead use Authorize attribute.

Add this in your Global.asax file under RegisterGlobalFilters method

    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new AuthorizeAttribute());
    }

or you can decorate also your controller with [Authorize]

[Authorize]
public class HomeController : Controller
{
    ...
}

For action which require Anonymous access use AllowAnonymous attribute

   [AllowAnonymous]
   public ActionResult Register() {
      // This action can be accessed by unauthorized users
      return View("Register");   
   }

As per Reference,

You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the Authorize attribute to each controller and use the new AllowAnonymous attribute on the login and register actions. Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities.

asp.net authorization - deny all before login except the register page

2 Answers