Security issue with .htm pages in folders

Discussion in 'ASP .Net' started by Magnus Blomberg, Sep 9, 2004.

  1. Hi there!

    I am using VS 2005 beta for developing my new web application.
    I have a security issue, that I don't know if it is wrong by me, an IIS6 problem or an VS beta problem.

    I have a web application where the first page is public and IIS is set up with Anonymous login enabled and Integrated Windows authentication.
    All other pages is placed under a folder called Protected created from VS.
    My web.config looks like this (shrinked):

    <authentication mode="Windows"/>
    <location path="Protected">
    <allow users="projdev\prospects"/>
    <deny users="*"/>

    The problem is that I CAN browse all .htm pages under the folder Protected. The pages named .aspx is protected as they should.

    Is it not "allowed" to use .htm pages in my app, or am I doing something wrong?

    Regards Magnus
    Magnus Blomberg, Sep 9, 2004
    1. Advertisements

  2. Magnus Blomberg

    Rutger Smit Guest

    ..htm and .html files are not handles by the asp(.net) parser so you can
    request them without a problem.

    To change this: rename the files to .aspx or let the htm(l) files being


    Rutger Smit, Sep 9, 2004
    1. Advertisements

  3. Ok, then I know. I will rename them.

    Regards Magnus
    Magnus Blomberg, Sep 9, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.