TLDR
The web site I am hired for to maintain handles security in two places: web.config Forms-authentication, and by checking the Session cookie in code-behind in the MasterPage. So changing security details, like making some pages accessible without login, requires changes at both places. Just forget about one, and strange things happen in the network dev tools...
My web site is working really nice, but the small problems left keep me puzzled. It uses Forms authentication, but all files in the root are unrestricted; only some directories have deny users=? in the local web.config. Still, asp pages in the root cannot be accessed before login, and respond with a 302 Found, Redirect.
This is part of web.config in the root:
<authentication mode="Forms">
<forms name="MYWEBAPP.ASPXAUTH" loginUrl="~/Welkom.aspx"
protection="All" timeout="181" slidingExpiration="true" path="/"/>
</authentication>
and there is no <authorization> section.
The user is supposed to be allowed, before login, to visit pages like /Cookies.aspx, but with the FireFox F12 Dev Tools, tab Network, I see a response of 302, followed by a redirection to /Login.aspx.
This leads to two questions:
I admit that the Welkom.aspx might look strange here, but it worked nice for years, and it does a Response.Redirect("/Login.aspx") if a suitable url is in the query params. But I checked with a debugger breakpoint in Page_Load(), and in the above questions, the Welkom.aspx.cs is NOT visited, so somehow the IIS(Expr) goes straight to /Login.aspx, very strange.
The problem was not about how HTTP works, but about my own code somewhere in the MasterPage code-behind that called Response.Redirect(). When your code base is getting large, such human errors creep in. So there is nothing technical to learn from this question.