I am having trouble configuring my web app to prevent users who have not logged in from accessing the website.  I have my web.config authentication mode set to "Forms" but when I attempt to access another page by simply typing url the page does not redirect to login page like I am expecting please inform as to what I am doing wrong; here is my code from web.config:

<authentication mode="Forms">

      <forms loginUrl="Login.aspx" protection="All" timeout="30" />

</authentication>

<authorization>

      <allow users="*" />

</authorization>

Right under <allow user="*" /> add <deny users="?" />

fyffemark:

<authorization>

      <allow users="*" />

</authorization>

Instead , it must be :

<authorization>
      <deny users="?" />
</authorization>

 Appreciate the suggestions but nothing seems to be working let me spell out in more detail what I have done so far:

First of all I have two web.config files one at the level of the log in page and one which is with the rest of the website in a Secure folder.   The web.config which is at the level of the login table looks like this initially:

...<!-- Login Level -->

 <authentication mode="Forms">
      <forms loginUrl="Login.aspx" protection="All" timeout="30" path="/"/>
    </authentication>

    <authorization>
      <allow users="*"/>
     </authorization>

...

Web.config at the level of the Secure folder looks like this initially:

...

<authorization>
        <deny users="?" />
</authorization>

... 

These settings don't allow anyone in whether properly logged in or typing the URL to the secured page everyone is redirected to login.

Then I tried this:

...<!-- Login Level -->

 <authentication mode="Forms">
      <forms loginUrl="Login.aspx" protection="All" timeout="30" path="/"/>
    </authentication>

    <authorization>
      <allow users="*"/>
      <deny users="?" />
    </authorization>

...

...<!--Secure level -->

<authorization>
        <deny users="?" />
</authorization>

... 

Same result as previous no one allowed in.  Next try looked like this:

...<!-- Login Level -->

 <authentication mode="Forms">
      <forms loginUrl="Login.aspx" protection="All" timeout="30" path="/"/>
    </authentication>

    <authorization>
         <!--<allow users="*"/>-->

         <deny users="?" />
    </authorization>

...

...<!--Secure level -->

<authorization>
        <deny users="?" />
</authorization>

Same result -- next try looked like this:

...<!-- Login Level -->

 <authentication mode="Forms">
      <forms loginUrl="Login.aspx" protection="All" timeout="30" path="/"/>
    </authentication>

    <authorization>
         <allow users="*"/>

         <deny users="?" />
    </authorization>

...

...<!--Secure level -->

<authorization>
        <allow users="*"/>

       <deny users="?" />
</authorization>

...

This setting allows everyone entry even non-logged in users.  My last try looked like this:

...<!-- Login Level -->

 <authentication mode="Forms">
      <forms loginUrl="Login.aspx" protection="All" timeout="30" path="/"/>
    </authentication>

    <authorization>
         <allow users="*"/>

         <deny users="?" />
    </authorization>

...

...<!--Secure level -->

<authorization>
       <!--<allow users="*"/>-->

       <deny users="?" />
</authorization>

...

This setting denied all users?  Please help very confused at this point.