I have been working on a website project which restricts access to a certain folder to annonymous users and allows access to the folder to those who are logged in. This has been working perfectly on my development machine.

However since publishing the website and deploying to a web server (Windows Server 2008, IIS7) the forms authentication appears not to be working. Anonymous users are able to access the "restricted" folder. I have compared the webconfig on both the development machine and the web server and they are exactly the same.

I set up the access/restriction to the directory on the development machine using the Web Site Administration Tool built into the .NET Framework using this tutorial. However I understand this tool is localhost only?

Please note: I am not using the asp.net login and registration controls. I am using a custom function in the code behind (C#)

Is this problem caused by the change of location? The development machine directory: C:\Users\Megatron\Documents\Visual Studio 2010\Projects\Osqar - v0.2\OSQARv0.1 The Web server Directory: C:\inetpub\wwwroot\Osqar

I am a little lost here so any advice would be greatly appreciated.

Here is the web config file

<?xml version="1.0" encoding="UTF-8"?>
<!--
  For more information on how to configure your ASP.NET application, please visit
  http://go.microsoft.com/fwlink/?LinkId=169433
  -->
<configuration>
    <connectionStrings>
        <add name="dbConn" connectionString="data source=mssql.database.com; Initial Catalog=devworks_oscar;User ID=myusername;Password=password" providerName="System.Data.SqlClient" />
    </connectionStrings>
    <system.web>
        <authentication mode="Forms">
            <forms name="Osqar" loginUrl="/login/login.aspx" protection="All" path="/" timeout="60" />
        </authentication>

        <compilation debug="true" />
        <pages /></system.web>
    <system.webServer>
        <defaultDocument>
            <files>
                <add value="index.aspx" />
            </files>
        </defaultDocument>
    </system.webServer>
</configuration>

Put this under <cofiguraation> main tag like:

<configuration>
 <location path="~/RestrictedFolder">
  <system.web>
  <authorization>
    <deny users="?"/>
  </authorization>
  </system.web>
 </location>
....

if you're restricting specific files do:

<location path="~/securedpage.aspx">
  <system.web>
  <authorization>
    <deny users="?"/>
  </authorization>
 </system.web>
</location>

Do these changes to the web.config in the deployed project

Alternatively as Wiktor suggested use to block anonymous access to the website as a whole

put it under <system.web> possibly before or after <authentication> tag

<authorization>
  <deny users="?"/>
</authorization>

Or create a folder under the root of your project and put secured pages inside that folder. R-click on the folder add new web.config file and put the following under the <system.web> tag

<authorization>
  <deny users="?"/>
</authorization>

The authorization section seems to be missing (?). You should have something like

<authorization>
   <deny users="?" />
   <allow users="*" />
</authorization>

Without the information about the required level of authorization (deny anonymous users), the application server will let everyone go everywhere.