I am using FormsAuthentication to prevent anonymous users from accessing any content on my site, other than the pages within /pages/security - this folder contains the login page, forgotten password, etc.
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="pages/security">
<system.web>
<authorization>
<allow users ="?" />
</authorization>
</system.web>
</location>
This works fine, but I also want to deny access for AUTHENTICATED to the /pages/security pages, so that an authenticated user can't access the login page or other related pages.
The above doesn't work, so once logged-in I can still access the login page - what am I doing wrong?
Thanks.
You can use this approach.
When a user is authenticated and you want to stop him from accessing login page etc. Then you can use these pages Page_Load event to check user's authenticity if they are authentic redirect them to other page.
For example
if(IsUserAuthentic())
{
Response.Redirect("Home.aspx");
}
IsUserAuthentic() is your custom method which will check user's authenticity.