To limit access to the secure page, I added a Web.config file to the folder containing the page:
<configuration> <system.web> <authorization> <allow roles="Admin" /> <allow roles="Map Viewer" /> <deny users="*" /> </authorization> </system.web> </configuration>
The main web.config file sets up forms authentication.
<authentication mode="Forms"> <forms loginUrl="~/account/login/" requireSSL="true" timeout="2880" /> </authentication>
This works like a charm if you access the secured page through https (e.g. https://example.com/Map). You are prompted to log in, you enter your credentials, and then you go to the page. As noted above, the page will not work correctly if served over http. However, ASP.NET authentication/authorization won't allow you to access it: 1. If you are not logged in and try to access the page over http, you are redirected to the site home page once you log in. 2. If you are logged in and try to access the page over http, you are shown the log in screen even though you are already logged in.
No other secure pages on the site require HTTP to work correctly, and this form-based authentication process has been working fine for those pages for years.