Web.config Location element functioning incorrectly

Environment: ASP.NET 3.5, C#, Forms Authentication, IIS 6

Problem details: I have a web.config file set up with forms authentication and the following are the location element, as appearing:

<location path="Home/Common">
    <system.web>
       <a开发者_JAVA技巧uthorization>
        <allow users="*" />
       </authorization>
    </system.web>
</location>

<location path="Business/Services">
   <system.web>
    <authorization>
        <allow users="*" />
    </authorization>
   </system.web>
</location>

The Home/Common folder contains my ForgotPassword.aspx.

The Login.aspx page is set as the LoginUrl

When the Login page is visited the first time (with no prior cookies etc.) the ForgotPassword link functions fine. It redirects to the page as desired. However, once a user has logged in, upon Sign Out, the ForgotPassword link doesnot redirect. Rather, forms authentication precedes and redirects to the login url with the ReturnURL querystring pointing to Forgot Password page.

The question simply is: If prior to signing in the element is considered and rightly excluded from forms authentication, why post Signing in and Sign out it gets in the purview of Forms authentication.

It is to be noted that on clearing Browser history, the functionality works as expected.

Any help would be appreciated.

Thanks.

It is more common to use the question mark (?) to allow/deny unauthenticated users. Unauthenticated users are the ones that really need to use the login page and password reset functionality, so allowing all users (*) to access them is an incorrect configuration. However, you have not posted your entire Web.config. There will be a root configuration for authorization that deals with "everything else."

How I would likely configure this is within the root <system.web>, I'd have:

<authorization>
    <allow users="*" />
</authorization>

And later in the Web.config, define locations that are secured:

<location path="Business/Services">
    <deny users="?" />
</location>

Which denies all unauthenticated users to pages within that folder. Your login and forgot password pages would be in the root folder. Regardless, either I'm missing something or you do not have the root authentication configured which might be confusing ASP.NET's authentication.