Asp.net Login page redirection for protected folders if not logged in

Question

I want the user to be redirected to the login page if not logged in. The login credentials are "Admin" & "Password" always. When I log in, it redirects me to the protected files and that's exactly what I wanted. HOWEVER, I can also navigate to the Protected files without logging in. What would be the best solution? Is it something to do with my Web.Config? Beneath is my authorization control for my Account folder which has got the login.aspx and I want to protect files inside my folder /Private if the user can't log in.

<location path="Account">
  <system.web>
    <authorization>
        <allow users="?"/>
    </authorization>
 </system.web>
</location>

Looking forward to your help!

Here is my Login.aspx's event handler after Login button click:

protected void LogIn(object sender, EventArgs e)
    {


    if (FormsAuthentication.Authenticate(UserName.Text, Password.Text))
    {
        var persistCookie = false;
        FormsAuthentication.RedirectFromLoginPage(UserName.Text, persistCookie);
    }

    if (IsValid)
    {
        string uname = UserName.Text.ToString().Replace(" ", "").ToString();
        string password = Password.Text.ToString().Replace(" ", "").ToString();


        if (String.Equals(uname, "Admin") && String.Equals(password, "MG32015!"))

        {
            Session["user"] = uname;
            Response.Redirect("~/Private/ViewEnquiry.aspx");
            //IdentityHelper.RedirectToReturnUrl(Request.QueryString["ReturnUrl"], Response);
        }
        else
        {
            FailureText.Text = "Invalid username or password.";
            ErrorMessage.Visible = true;
        }


    }

And the Logout.aspx.cs has this:

public partial class Account_Login : Page
{
protected void Page_Load(object sender, EventArgs e)
{
    Session.Clear();
    FormsAuthentication.SignOut();
    //Response.Redirect("Login.aspx");
}



protected void Login_Click(object sender, EventArgs e)
{
    Response.Redirect("~/Account/Login.aspx");

}

}

Answer 1

You can have different configuration for different paths. Make sure you deny unknown users to "Private".

Also, it's probably best to use the standard way of hard-coding credentials and authenticating if you're going to do things the way you are.

Here's what the config would look like:

<system.web>
  <authentication mode="Forms">
     <forms name=".ASPXFORMSAUTH" loginUrl="/login.aspx">
        <credentials passwordFormat = "Clear">
           <user 
              name="Admin" 
              password="Password"/>
        </credentials>
      </forms>
   </authentication>
</system.web>

<!-- Account -->
<location path="Account">
  <system.web>
    <authorization>
        <allow users="*"/>
    </authorization>
 </system.web>
</location>
<!-- Private -->
<location path="Private">
  <system.web>
    <authorization>
        <deny users="?"/>
    </authorization>
 </system.web>
</location>

...and here's the code (which includes the method that sets the authentication cookie):

protected void LogIn(Object sender, EventArgs E) 
{
  // authenticate user: this sample authenticates 
  // against users in your app domain's web.config file
  if (FormsAuthentication.Authenticate(UserName.Text,
                                       Password.Text))
  {
    var persistCookie = false;
    //this is what actually sets the auth cookie.
    FormsAuthentication.RedirectFromLoginPage(UserName.Value, persistCookie);
  } 
}

Also note that you can access the user name from the cookie without relying on session thusly:

HttpContext.Current.User.Identity.Name