I am using the simple authentication thing.,,..

Using this in config file....

<authentication mode="Forms">
   <forms name=".COOKIE" loginUrl="login.aspx" protection="All" path="/" timeout="480"/>
  </authentication>
  <authorization>
   <deny users="?"/>
   <allow users="*"/>
  </authorization>

The user who is not logged in should be sent back to login.aspx. BUT currently it is not happening. User is able to go to any page. While it is working well in my local but not working on server. What is the thing which I am missing...

Still seeking for the answer......

Couple of things to try:

• remove <allow users="*"/>
• close the browser, reopen it, clear all cookies, close the browser, reopen and go to site
• check code in the login page to make sure it's not automatically authenticating the user
• try changing the cookie name...maybe it's being shared somehow?

Seems like the config is all right. You might check if the machine.config or the IIS ASP.NET settings are overriding the Web.config you're using.

Make sure the FormsAuthentication module is added to the httpMdules collection. You might try to add it your self in your web.config, in case it has been removed from machine.config. This module is what handles the redirect to what you have specified under authentication/forms

I would deny unauthenticated users by default, only make exceptions for the login page and other resources needed.

Example:

    <authorization>
        <deny users="?"/>
    </authorization>

...

<location path="Login.aspx">
    <system.web>
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>
</location>