How to restrict access to Anonymous Users with Forms Authentication in ASP.NET

From practical point of view, you do not need to restrict access to pages in order to use authentication. In this article will be demonstrated the redirection functionality of forms authentication. This functionality forces ASP.NET to redirect anonymous users to the login page. You can use the simple technique of denying access to all unauthenticated users. To do this, you must use the <authorization> element of the web.config file to add a new authorization rule, as shown here:



<!– Other settings omitted. –>


<deny users=”?” />





The question mark (?) is a wildcard character that matches all anonymous users. By including this rule in your web.config file, you specify that anonymous users are not allowed. Every user must be authenticated, and every user request will require the forms authentication ticket (which is a cookie). If you request a page in the application directory now, ASP.NET will detect that the request isn’t authenticated and attempt to redirect the request to the login page (which will probably cause an error, unless you’ve already created this page).