I want to protect a certain subfolder on a website unless they are authenticated, then they can browse/access files in that subfolder.
/website
/subfolder
/admin << THIS is the folder I want to protect and its contents unless they are authenticated
I added this to my root web.config but it still lets me access the files without even being authenticated:
<authentication mode="Forms">
<forms defaultUrl="~/subfolder/admin/Default.aspx" loginUrl="~/subfolder/admin/Login.aspx" path="/subfolder/admin" ticketCompatibilityMode="Framework40" protection="All" name="admin" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
<location path="~/subfolder/Admin">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
where am I going wrong?