Seeing this question numerous times, in plenty of newsgroups,
I figured I would take a minute and expose one of the great mysteries of using
forms authentication in ASP.NET. How do I protect the other files in my directories
when I'm using forms-based authentication? The answer is some advanced configuration
of IIS. While processing every possible file through the aspnet_isapi.dll
filter may have some performance questions, the fact is that you cannot use
forms authentication to protect files that are not mapped through that filter.
For this article, I will go on the assumption that you already
have a Web site configured to use forms authentication. If you have not gotten
this far yet, you can apply this article to the sample from the Microsoft .NET
Framework SDK of using form authentication. Simply add a sample of the file
type you wish to protect and substitute that file's extension in the instructions
below. Before going any further, make sure that the only authentication type
allowed from IIS is anonymous. This is shown in Figure 1.
Figure 1
To begin, open the IIS Management Console and open the properties
page for the site that is configured to use form authentication. From the
Properties page, click the "Configuration" button on the "Directory" tab. You
should see another properties page similar to that in Figure 2.
Figure 2
From here, click the "Add" button, this will bring up a dialog
box similar to that shown in Figure 3. You will need to know the exact path
to the file aspnet_isapi.dll on your machine. This file will be located
in the %windir%\Microsoft.NET\FrameworkSDK\[version]
directory.
Figure 3
From this dialog, you can click to browse, or type the exact
path to where the aspnet_isapi.dll file is. If you choose to type the
location, be warned that if the location is wrong, IIS will return a 500 error
for any requests made to this file type. In this example, I will be mapping
the .gif file extension so that all of the image files will be protected.
Figure 4 shows how this dialog box will look with the correct information entered,
and the correct options selected. The "Check that file exists" option is not
necessary here so I will leave it unchecked. Simply enter the location of the
aspnet_isapi.dll file in the "Executable" text box and the extension
".gif" - don't forget the dot - in the "Extension" text box and click "OK".
Once this is complete, restart IIS.
Figure 4
After IIS has restarted, make sure that you do not have any
persistant cookies for the forms authentication based site and attempt to access
a protected resource, you should get your login page with the return URL being
the originally requested URI. This process can be repeated for each file type
(ex. .pdf, .jpg) that you need to secure on your website.