Forms Authentication static content not loading

Using forms authentication, you may find that your css is not being applied, or other such static media isnt loading when you are not authenticated, ie when not logged in.

In order to diagnose where the problem is you need to understand how forms authentication walks hand in hand with IIS regardless if you are forcing all requests through the .net api or not.

The Scope of Forms Authentication

The FormsAuthenticationModule is managed code that is part of the ASP.NET runtime. Prior to version 7 of Microsoft’s Internet Information Services (IIS) web server, there was a distinct barrier between IIS’s HTTP pipeline and the ASP.NET runtime’s pipeline. In short, in IIS 6 and earlier, the FormsAuthenticationModule only executes when a request is delegated from IIS to the ASP.NET runtime. By default, IIS processes static content itself – like HTML pages and CSS and image files – and only hands off requests to the ASP.NET runtime when a page with an extension of .aspx, .asmx, or .ashx is requested.

IIS 7, however, allows for integrated IIS and ASP.NET pipelines. With a few configuration settings you can setup IIS 7 to invoke the FormsAuthenticationModule for all requests. Furthermore, with IIS 7 you can define URL authorization rules for files of any type. For more information, see Changes Between IIS6 and IIS7 Security, Your Web Platform Security, and Understanding IIS7 URL Authorization.

Long story short, in versions prior to IIS 7, you can only use forms authentication to protect resources handled by the ASP.NET runtime. Likewise, URL authorization rules are only applied to resources handled by the ASP.NET runtime. But with IIS 7 it is possible to integrate the FormsAuthenticationModule and UrlAuthorizationModule into IIS’s HTTP pipeline, thereby extending this functionality to all requests.

If you want IIS to integrate the dynamic and static content with the forms authentication module you set your application pool to “integrated” mode, if not you set it to “classic” mode, separating the authentication module from the static content such as css files and other such media.

Configuring forms based authentication

you typically use the webconfig file to setup security topology of your website, below is n example of a webconfig root entry to apply security to folder and files of your website application

here we are allowing all users to have access to the folder “css” found on the root of the web application

similarly here we grant access to all users for the themes folder

In this example we want only those users in the Admin role to have access to the contents of the Admin folder

Another post you may find useful

String.replace ignorecase

Replace a string but ignore the case, I keep forgetting about this little handy function

Heres an example of usage