I have a folder named "app" I want to block access to all files if the user is not logged in.
I tried this way:
<location path="app">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
But if I access /app/file.xyz it accesses ...
IIS has to be warned that any and all requests (including static files) must be processed by it. As it was before, IIS does not enforce the FormsAuthentication feature on static files.
Put the following in your Web.config file:
<configuration>
...
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
...
</configuration>