The security that ASP.NET has built in is pretty cool. Just modify your web.config and you're set. The problem I was running into was that some web apps only needed to have a single directory secured (like /Admin). In the past I would have the typical security and then insert a seperate web.config in each directory that was unsecured. As the app grew I'd just plop a new web.config in each directory that looked like the following:
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
<customErrors mode="RemoteOnly"/>
</system.web>
</
configuration>
I mean, hey it works right? Well instead of adding this to each and every directory I worked with Bill Pierce to get it so you just enter the following in your root directory's web.config
<configuration>
<system.web>
<authentication mode="Forms">
<forms name="Web.Security" protection="All" timeout="60" loginUrl="Admin/Default.aspx?Page=Login" />
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
<location path="Admin">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</
location>
</
configuration>
Notice the location tags with the path attribute. This tells my app that the Admin folder is the only one that we need to handle security on. So now, users won't get a login prompt unless they go to the admin folder.