I have a website that uses URL rewriting in the global.asax file to ensure nice tidy URLs e.g. /contact/default.aspx rewrites to /html/template.aspx?PageID=139

However I now want to implement forms authentication on some sections of the site for example I want to protect the merchandise section (/merchandise/*.aspx). However as this directory doesn't actually exist it doesn't work.

I read this was because I'm doing the URL rewriting in the Application_BeginRequest method and forms authentication is not happening until after this therefore meaning that the URL is already rewritten before it checks to see if it is in the merchandise directory.

I'll also read this could be avoided by moving the URL rewriting into the Application_AuthorizeRequest method however when I do this it throws 404 errors for every page and weirdly the 404's are for the actual existing page not the original URL. I've tracked this down thsi problem to the fact that the querystring at the end of the rewritten URL seems to screw this up right royally - if removed it works fine. Unfortunately I need it as it distinguises between pages!

Has anyone experienced this? Is there a way to get this to work?

Cheers

DJ