.NET 4.0 Forms Authentication change?
- by James Koch
I'm seeing some new behavior in Forms Authentication after upgrading to .NET 4.0. This occurs only on IIS 6, not on 7.
Background - In web.config, we configure Forms Authentication, and then use <authorization tags to globally deny anonymous/unauthenticated users access. Then we explicitly allow access to a login.aspx page using a <location tag. Generally, this works fine, as it did when we were on .NET 2.0 (3.5).
The issue only occurs when we visit the root path of the site, ie "http://myserver/". Our default document is configured in IIS to be login.aspx. Under .NET 4.0, upon visiting that URL, we're redirected to "http://myserver/login.aspx?ReturnUrl=/". If you log in from here, you're logged in and returned back at the log in page (yuck).
Just wanted to post this here to see if anyone else is experiencing this. It's not listed on any "breaking changes" documentation I've been able to find. Either I'm missing something, or the UrlAuthorization module has changed and is no longer "smart" about IIS default documents.