I am using Forms Authentication with ASP.NET Web Forms and it successfully authenticates the user.
With these authorization settings in the web.config an anonymous user can only access the Login page.
<authorization>
<deny users="?" />
</authorization>
or
<location path="SubFolder">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
I am trying to use location tags to further allow anonymous access to additional pages, but they are ignored:
<location path="SubFolder/LoggedOut.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Following ASP.NET settings inheritance the authorization tag in the location tag should overwrite the global authorization tag.
The system determines which rule takes precedence by constructing a merged list of all rules for a URL, with the most recent rules (those nearest in the hierarchy) at the head of the list. (link)
How can I deny anonymous access to all pages but those that I specify?
The answers to this question state that what I am doing is correct. But it doesn't seem to work for me. So why does this happen? Is there a way to find out what setting blocks the acccess when I try to access a page? Is there anything I am missing?