I have a "members" folder that requires a login to access the pages in there. (the UN's and PW's are authenticated from the DB for the forum)That works well and has no problems. The problem is.. if I create a folder inside the members one, whatever I put in there can be accessed without login... ie: here or here am I missing something??
Dave

how have you set it up to require authentication ? can you post your code?

Web config
and Class1.vb that's in App Code (that you supplied Huw)

Having a little play around it seems that everything that ends .aspx is protected but every other extension isn't.
Dave

thats because you need to tell iis that .net needs to handle them.
This may help http://www.windowsitpro.com/article/security-development/secure-resource-and-document-files.aspx or this http://aspnet.4guysfromrolla.com/articles/020404-1.aspx

Thanks Huw

it all makes sense now

Dave

I have a minor problem...
My host has done the mapping and I have created an httphandler (handler.ashx) residing in app_code


I have in my web config...
<httpHandlers>
<add verb="*" path="*.doc" type="App_Code.DocHandler"/>
</httpHandlers>

but am getting an error... Parser Error Message: Could not load type 'App_Code.DocHandler'.
any ideas?
Dave

have you tried just DocHandler not App_Code.DocHandler

Yes Huw, I have tried a few things there but all return the parser error so I was assuming it maybe a problem with the handler? I had a google around last night and although there are a few variations on the handler, the generic one that is created using VWD 2008 express is the one that brain dead's like me seem to use.
as a matter of interest... if I created a handler, modified the webconfig and uploaded it to the webserver, if the iis wasn't mapped correctly would an error be thrown up or would it just not work?
Dave

if iis wasn't mapped correctly it would either try to download the file or give a 40X error of some sort.
ok, your problem is that you have created a handle file (ashx) when what you really need to do is create a httpmodule, ashx files expect to be called in the same was as other asp.net files what you actually want is a httpmodule wich will basically trap any .doc files (either that or you need to add a rewrite rule to map all *.doc requests to your ashx file. try renaming your ashx file to a .cs file it should then recognise it as a handler type rather than a handler file

sorry if I haven't explained that too well :)

you will need to remove the webhandler tag from the top of the file too

Thanks Huw, and you explained it well enough
I have been working on it (on and off) all day and getting error upon error. (the first one being I renamed the ashx file to .cs and the site is in vb!!... doh)

I stumbled across something this evening that doesnt require a class file, ashx file etc. it uses an inbuilt static file handler. All that is needed is a line in webconfig.. within the httpHandler tags

<add verb="*" path="*.pdf" type="System.Web.StaticFileHandler" />

it seems to work but I'm not sure if it's 100% correct (correct may not be the right word?)

your views would be appreciated

Dave