Yea, that's what I meant.

Normally, if you are validating against a database, you would use forms authentication which ensures no matter how a person accesses a particular page, they would need to have been authentication to access any page beside the logon page.

So if I had used your app before... and knew the location of your RefundCustomer.aspx, i could simply type it in the url box 'http://localhost/mikesapp/refundcustomer.aspx', and never need to be authenticated because your web config doesnt require it. Whereas, if you set forms authentication, I would have to login because as soon as I hit GO with that url, the .net framework would see I haven't been issued an authentication cookie, and redirect me to the default login page you designated in the web.config.

Anyway... (more to come, thought I let you digest this first)