I have a login system in place at the moment to stop all non-authenticated users from viewing the content of my website. I can confirm the login works.
The problem I am facing now however is with my web.config file. I am able to block a non validated user from viewing the main page (ie www.mysite.com) which would in turn load index.php. The user though can still go to www.mysite.com/index.php without logging in defeating the purpose of the login.
My web.config handles just the main page and any .aspx files I have in the root.
Below is my web.config code. I've looked for a solution for a while now and havent found a way to make the web.config work for the entire site. Also, it is located in the root (and my site uses wordpress).
Any help would be appreciated as i've spent quite a while on this and I feel like it should be a simple solution. Also I am running IIS 7.
Just to sum up my question, I need the web.config file to block access to all types of files (php,.txt, etc) instead of just the root URL and .aspx files.
Thank you
The problem I am facing now however is with my web.config file. I am able to block a non validated user from viewing the main page (ie www.mysite.com) which would in turn load index.php. The user though can still go to www.mysite.com/index.php without logging in defeating the purpose of the login.
My web.config handles just the main page and any .aspx files I have in the root.
Below is my web.config code. I've looked for a solution for a while now and havent found a way to make the web.config work for the entire site. Also, it is located in the root (and my site uses wordpress).
Code:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation defaultLanguage="c#" debug="false" />
<customErrors mode="Off" />
<authentication mode="Forms">
<forms
name=".myCookie"
loginUrl="http://www.mysite.com"
domain="mysite.com"
protection="All"
timeout="120"
path="/"
requireSSL="false"
slidingExpiration="true"
/>
</authentication>
<authorization>
<allow roles="AA,BB" />
<deny users="*" />
</authorization>
<machineKey
validationKey="xxxxxxx"
decryptionKey="xxxxxxx"
validation="SHA1"
/>
<sessionState mode="Off" />
</system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="index.php" />
</files>
</defaultDocument>
<rewrite>
<rules>
<rule name="wordpress" patternSyntax="Wildcard">
<match url="*" />
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="index.php" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>Any help would be appreciated as i've spent quite a while on this and I feel like it should be a simple solution. Also I am running IIS 7.
Just to sum up my question, I need the web.config file to block access to all types of files (php,.txt, etc) instead of just the root URL and .aspx files.
Thank you