Forms Authetication to Protect Single File Using Asp.net

[rodrigo]

I want to protect a single file (openvideo.aspx). I already setup the
folder as an application in IIS.
The authentication seems to work fine and the permissions works as it
should.

The problem comes after the user gets authenticated. I need to store
each user info in database after it gets authenticated at any time,
not only the first time.
I am using persistent cookie. It seems that register.aspx it's being
bypassed or skipped after authentication and I can't force the
register.aspx (loginUrl) to be checked after authentication.

I tryed using Request.IsAuthenticated but it always returns false.
From my little understanting of .net framework, I thinks something is
happening behind that is taking control of cookie authentication and
using session instead.

<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="register.aspx" name=".AUTH1" protection="None"
path="/" timeout="20" >
</forms>
</authentication>
</system.web>

<location path="openvideo.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>

thanks

Rod

 

[rodrigo]

Let me clarify better my situation.

login page = register.aspx
protected page = openvideo.aspx

SIMULATION
(First time access. No cookies yet)

1. Try to access openvideo.aspx
2. Asp.Net checks web.config permissions
3. It is protected, then redirects to register.aspx
4. User informs name and password and submit back to register.aspx
5. register.aspx validates user in database and redirects to
authorizes openvideo.asp page
6. Cookie is persistent
7. Close the brower and try to access openvideo.aspx
8. Asp.Net checks web.config permissions. It is protected, but this
time do not redirect to register.aspx since it is authenticated.
9. Asp.Net just lets the user see the file content.
10. Clean cookies
11. Things repeat like first step

With this situation I can't force tracking of info at all times even
after authentication.

The point is I need track user info (querystring, time, etc) each time
he access openvideo.aspx because register.aspx does not ge hit after
authentication.

You suggestion to get rid of persistent cookie would make
register.aspx pop up at all times and it would be annoying for the
user. I want it to be authenticated, but always force authentication
to pass by register.aspx.

Some people will say, what's the point if you can track info directly
in the destination or protected file. Well in this case I know I can
track this type of info in openvideo.aspx since it gets hit all the
times, but it does not protect the media files from direct browser
access. If you know the path to the media you can access it easily.

Right now that is not my major concern. Later, I'll need to use a
handler to handle the media by file extension (ex. wmv, mpeg, etc)
without intermediate pages. And if you want to track something at all
events it will have to pass by register.aspx.

Maybe I confused you more, sorry about that and thanks for you
patience.

Rodrigo