Changing ASP.NET Forms Authorization Redirection

ASP.NET makes it easy to configure Forms Authentication and Authorization, including automatically redirecting you to the login page when necessary.  The problem is that it also redirects authenticated users to the login page when they attempt to access pages that they are not authorized to access.  This gives you the opportunity to login as someone else, and then be automatically redirected back to the page you originally attempted to access.  But that may not be the behavior you want for authenticated users -- do your users really have multiple logins and do they understand why they end up back at the login page?  Instead, I want my authenticated users to be redirected to some other page that tells them they do not have access, and possibly gives them a way to contact an administrator.  So here's the code that you need to put in your Global.asax file:

protected void Application_AuthorizeRequest(Object sender, EventArgs e) {
  if (this.Request.Path.ToUpper().EndsWith("LOGIN/DEFAULT.ASPX") && this.Request.IsAuthenticated) {
    this.Response.Redirect("~/Login/Unauthorized.aspx");
  }
}

Note that this will prevent any users with multiple logins from being able to switch their login -- the solution for them is to first logout, or close and reopen the browser.

7 Comments

  • Wouldnt it be less costly to check for this on your login page?

  • The point is that I do NOT want to be redirected back to the login page. Now you could have your login page dynamically change from being a login page to a page that tells the user they aren't authorized, if that's what you mean -- but that's not really the behavior I want.

  • More alluding to the fact that you could check at the load of the login page to determine if the user is authed and if so then transfer them to the appropriate 'you got no access' page.



    In this case you are only using cylces for this logic in the case that your user happens to actually come across a page while having insufficient credentials, whereas in the GASA event you run the logic for every single request.

  • OK, I'll buy that. It does also simplify the logic:

    if (this.Request.IsAuthenticated) {

    this.Response.Redirect("~/Login/Unauthorized.aspx");

    }

  • I've run into this problem before and couldn't find a built in solution so I placed the authorization logic in a base page while having asp.net responsible for authentication. The inheriting page overrides an abstract method that returns the allowed roles. Not the best solution since an access change requires a recompile but in most apps I've come across this isn't often. Hopefully this will be addressed in asp.net 2.0

  • I've faced the same situation, but the solution you provide is not working in all cases.

    Let's say you want to add a link "Connect using another login" to the Login page on the "Unauthorized" page. In that case, IsAuthenticated is always true, and that prevents the access to the Login page to reconnect. Unless your link performs a postback and signs out.



    What I ended with is the following:

    - In web.config, the loginUrl is the Unautorized page.

    - The user gets redirected to that page when he tries to access a page without being authenticated AND when he tries to access a page without the right permission.

    - The Unauthorized page has to links : "Go back" and "Connect using another login".

    - If the user accesses the application through the Login.aspx URL, he doesn't see the Unauthorized page. Of course, if he tries to access another page without being authenticated, he will see the Unauthorized page.



    Let's hope the ASP.NET team cooked something better for the next version!

  • Excellent comments Fabrice. Thanks.

Comments have been disabled for this content.