The membership API is based on top of forms authentication. It provides you with an out-of-the-box infrastructure for managing and authenticating users. For that reason, you have to configure your application for forms authentication as a first step. Usually, the the root directory of the web application grants access to anonymous users, while restricted resources are stored in subdirectories with restricted access.  When someone tries to access resources stored in this secured directory, the ASP.NET runtime automatically redirects the user to the login page. Typically, the root directory, which is accessible to anonymous users, includes features such as a login page and a registration page. The next picture presents the structure of the web application.

 

 

Folder and file structure of a web application with a secured area

Folder and file structure of a web application with a secured area

So, in the root directory of the web application, you just configure forms authentication by including the following:

 

<system.web>

<authentication mode=”Forms” />

</system.web>

 

This configuration specifies forms authentication and allows anonymous access to the pages. In the secured subdirectory, you add an extra web.config file with the following contents:

 

<configuration>

<system.web>

<authorization>

<deny users=”?” />

</authorization>

</system.web>

</configuration>

 

This configuration denies any anonymous user access to the website’s secured subfolder. If someone who is not authenticated tries to access resources placed in this directory, the ASP.NET runtime automatically redirects the user to the (publicly available) login page. In this case, you have to create the login page on your own, but it’s much easier and much less work with the membership API.