I have an ASP.NET application with Forms Authentication enabled, deployed to an IIS 7 server. In the web.config file I have added <location> sections to exclude the default documents (index.html/default.aspx) from authentication.
If I navigate directory to http://mysite.com/default.aspx, it works as expected. It doesn't ask for authentication. However, if I navigate to http://mysite.com/, it always redirects to the forms authentication login page.
I have the default document setup in IIS as default.aspx, but it will always redirect if I don't include the default.aspx page in the URL.
Is there any way to allow prevent the redirect to the login page if a user is navigating to just the 'root' site?
Best Answer
The location tags can target specific files and subfolders but can't target the root (i.e. /). One option is to start with all allowed and block files and folders. The problem there is that if you forget to do this for new folders your site can be vulnerable.
I believe that you can use URL Rewrite to handle the default doc and point to default.aspx with a 'rewrite' rule. For example, in the url match, use "^$" which means exactly nothing. Then for the action, rewrite to /default.aspx. Then .NET will see /default.aspx and won't redirect for you.