Forms Auth root "/" not authenticating sub folders and files

From: Cy Huckaba (cyh@delete.t-3.com)
Date: 03/26/03 

From: "Cy Huckaba" <cyh@delete.t-3.com>
Date: Wed, 26 Mar 2003 14:09:32 -0600

I have forms auth. setup for a web app with the path set to "/". Everything
seemed to be working fine until I tried jumping directly into a file in a
sub folder. If you make a request into any file in the root directory, it's
fine...if you request anything files outside of that folder you can go
directly to them without authenticating.

The app is a review site where work is posted for client review. All of the
aspx file are located in the root. The subfolders contain images or word
docs, spreadsheets, etc. that are posted through the web forms. Some of the
subfolders are actually created when new jobs are created etc. This would
make it hard to add a path for each new folder created. Does this affect the
security? Isn't the root path "/" supposed to cover all folders.

Here is my web.config entry..

<system.web>
...
    <authentication mode="Forms">
          <forms path="/" loginUrl="/login.aspx" timeout="30"></forms>

    </authentication>

    <authorization>
        <deny users="?" />
    </authorization>
...
</system.web>

Any help is appreciated, thanks,

Cy Huckaba
T3 - Austin, TX
www.t-3.com