Listing 1. Configuration Settings of web.config

Listing 1. Configuration settings of web.config
The <authentication> element specifies ASP.NET forms-based authentication as the default authentication mode.

The <forms> element specifies the name of the HTTP authentication cookie (the default is .ASPXAUTH) and URL of the login page.

The <location> element specifies the path to the folder whose files are denied to anonymous users (users ="?"). Authenticated users are allowed access to the pages.

<configuration>
   <!-- enable Forms authentication -->
   <system.web>     
      <authentication mode= "Forms">
         <forms name="SECAUTH" loginUrl="/login.aspx" />
      </authentication>
   </system.web>

   <!-- Require authorization for all files in the "member" subdirectory -->
   <location path="members">
      <system.web>     
         <authorization>
            <deny users="?" />
         </authorization>
        </system.web>
   </location>
</configuration>

Note: In case you've read ahead in this article to the section on roles, here's a clarification that you may find useful: The authorization specified in this web.config file means that any authenticated user is allowed access to the pages in the specified directory ("member" in this case). It doesn't check what role the user has, if any.