Prevent certain basic member role from viewing (or becoming aware of) admin directory?

right now authorization is working perfect in my asp.net web forms application.

I was wondering if it were possible to absolutely prevent all unauthenticated and unauthorized users from discovery the admin directory.

As it stands if a user types in th开发者_如何转开发e url to the admin directory it takes them to the login page (assuring them it exists which is not good!), and if successful they will be able to access the admin directory. For security purposes is there a way of preventing them from getting redirected to the login page and maybe just redirect them to the home page, so that they are never really guaranteed that the url they type in is valid?

As you have said the authorization is working fine so you will have to do something in code. Try putting pages in admin folder inside a separate master page and put following in page_load of this (admin) master page:

protected void Page_Load(object sender, EventArgs e)
{
    if(!Page.User.Identity.IsAuthenticated || !Page.User.IsInRole("admin"))
    {
        Response.Redirect("to some other page");
    }
}

Though this works but is not a good solution, as master page is called after the content page so if you are using some heavy work like hitting database, it has already happened before you redirect user.

Another option is to put above code in all the content and other aspx pages in admin folder. Or you can try creating base class for pages in admin folder and implement this role and authentication checking insiede that base class.

PS:- you also need to remove restriction on folder from web.config because if web.config restricts the users from accessing admin folder, it will never execute the code block and redirect user to login page.