Hi Jeremy, Until IIS 7.0 is released, only pages mapped to the ASP.NET ISAPI Extension will be protected by ASP.NET Forms Based Authentication. Your HTML file will be mapped to the IIS static file handler by default, and so ASP.NET is never invoked when handling the page request, and the FBA will never kick in. Your options? a) map .html to ASP.NET (like aspx pages are) b) change pages with the .html extension to .aspx instead c) use some other security system To do (a), open IIS Manager, and bring up the properties of your website. On the Home Directory tab, click the "Configuration" button. On the "Mappings" tab, map .html to ASP.NET in the same way that .aspx is Cheers Ken -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Jeremy Coulson Sent: Tuesday, 26 June 2007 6:17 AM To: evolt Subject: [thelist] .net login Hello friends, First off, thanks to those who tried to help me with an IE issue recently. I tried all suggestions and nothing helped, so I just decided to reinstall Windows. It's nice to get a clean install once in a while, anyway. Here's my new problem. In case you won't be able to tell, I'm hardly a programmer and generally a n00b to .Net. We have an intranet site that's hosted on a server and only available on our local network in the building. We have several outside locations who would like access to the intranet and some employees have expressed an interest in using some of the features from home, so I want to move the intranet to our web server. I don't, however, want the entire world to read the intranet, so I want to set up some kind of login deal. The server is running Windows 2003 and .Net Framework 1.1. We can't upgrade to 2.0 just yet because the vendor who makes our e-Treasurer apps has some compatibility concerns. So far, I have had success making a database of usernames and passwords and using a login form to send a user to one page or another depending on whether or not the credentials supplied were found in the database. Score. The problem is that if a person wanted to go to intranet/topSecretPage.html without logging in at intranet/login.aspx, all that person needs to do is type the URL for topSecretPage.html directly. Our software vendor told me to use a cookie and set up sessions for users, but they didn't offer any information beyond that. I've chipped away at the problem for weeks now, but I'm at a point where I need assistance. I'm not asking for someone to do it for me; I just need a nice example and overview of how to accept credentials, check them against a database, assign a session to a user, and allow that user access as long as that session remains valid. Thanks. Jeremy Coulson, PC Technician/Webmaster County of Frederick (540) 722-8211 jcoulson at co.frederick.va.us -- * * Please support the community that supports you. * * http://evolt.org/help_support_evolt/ For unsubscribe and other options, including the Tip Harvester and archives of thelist go to: http://lists.evolt.org Workers of the Web, evolt !