Redirect unauthorized users to Custom Access Denied page instead of login page

Scenario:

Say you are using Forms Authentication and have set up authorization in your web.config to allow access to particular users or roles and/or denying anonymous access.

1: Deny Anonymous users:When an unauthenticated user tries to access a secured page, by its default behavior users will be redirect to your login page or I should say the loginUrl set in the forms element of your web.config.

2: Allow certain Roles: Now say if a user is already authenticated and tries to access a page allowed only to the users in particular role e.g. "admin", you will see the same behavior as for anoymous users above. The authenticated user is redirected to login page.

In second case, most of the time, it makes sense to redirect unauthorized users to a different page that displays appropriate message like "Access Denied".  

The first idea would be to use customErrors element in the web.config.

<customErrors mode="On" defaultRedirect="~/GenericErrorPage.htm" >

  <error statusCode="401" redirect="~/unauthorized.htm"/>

 </customErrors>

But that won't work becuase the FormsAuthenticationModule modifies the 401 status to 302 redirect status and redirects the user to login page. For more detailed information check here.

Solution:

1: Add and design a page (e.g. "unauthorized.aspx") with appropriate access denied message.

2: Add this code to the Page_Load of your login page. (Note: Originally discussed here)

protected void Page_Load(object sender, EventArgs e)

{

if (!Page.IsPostBack)

{

if (Request.IsAuthenticated && !string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))

Response.Redirect("~/unauthorized.aspx");

}

}

Resources:

Published Tuesday, January 12, 2010 12:46 PM by guru_sarkar

Comments

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Wednesday, April 28, 2010 3:53 AM by selenerdogmus

Hi,

could you give this example in vb.net 2008 ?

How can we right the below code in vb. ?

protected void Page_Load(object sender, EventArgs e)

{

if (!Page.IsPostBack)

{

if (Request.IsAuthenticated && !string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))

Response.Redirect("~/unauthorized.aspx");

}

}

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Thursday, September 23, 2010 1:59 PM by Rick.Gwu

Very nice!

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Wednesday, December 29, 2010 12:46 AM by navaz shaik

its nice and simple to understand.

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Tuesday, February 8, 2011 9:50 AM by Chandrabhan singh

Hi,

I have a wired scenario in one of my ASP.net application.

I am using ASP.net membership with my custom "roleManager",

and having below tag in web.config to restrict any user not having role of "Keywords"(roles) to access "Keywords"(path) folder

<location path="Keywords">

<system.web>

<authorization>

<allow roles="Keywords"/>

<deny users="*" />

</authorization>

</system.web>

</location>

If any user with some other role allow to assess this URL (Keywords in this case) will be redirected to a custom- Access denied page.

Now things working fine but when I left my application with a inactivity of 30 min I am not able to visit the "Keywords", all the time I end up with the custom- Access denied page, if I close the browser, login again it start working fine.

Please help me in this case.

Thanks in advance

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Monday, February 14, 2011 12:05 PM by guru_sarkar

Chandrabhan,

I am not sure why that might be happening. Try posting your question on Security forum here:

forums.asp.net/25.aspx

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Monday, February 14, 2011 9:18 PM by Jack

Chandrabhan,

Forms Authentication timeout defaults to 30 minutes which is why after a period of 30 minutes inactivity you are no longer authenticated.  You can override this default value in web.config:

       <authentication mode="Forms">

           <forms loginUrl="~/Login.aspx" cookieless="UseCookies" timeout="1440" />

       </authentication>

The timeout value is in minutes.

Cheers.

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Tuesday, February 15, 2011 11:00 AM by guru_sarkar

Jack,

That's correct that default timeout is 30 mins but changing that won't remove the problem. Leaving the application for 1440mins will cause the same issue.

Chandrabhan,

I was just wondering, what is the return URL after timeout and you taken to the login page? I believe if it is to the accessdenied page which could be a cause.

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Wednesday, April 6, 2011 11:52 AM by Deepti

Hi,

iam not using Login COntrol.. whenever iam doing Request.Authenticate it give false.. if iam using page.user.identity.isauthenticated.. then to it returns false... any idea..

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Wednesday, November 9, 2011 8:00 AM by Braveen

Hi there...i'm having some problem over here..when user enter their id,it will show up the main page and its for user but when admin enter their id,it will enter the user's main page and i have to click admin site on the top hyperlink and it automatically logout and once i enter back admin passwrd and then only it redirect to admin page.how to make it like once user enter their passwrd it redirect to user page and once admin enter admin password in the login it redirect to admin ?I have 3 roles over here which are admin,staff and user.Hereby i'll provide you my aspx code and also my vb code which is running behind the program.please do assist me.thanks

ASPX

<asp:Login ID="Login1" runat="server" BackColor="#009933" BorderColor="Red"

       BorderPadding="4" BorderStyle='Ridge' BorderWidth='1px' Font-Names='Verdana'

       Font-Size="0.8em" ForeColor="Red"

       DestinationPageUrl="~/MainPage.aspx" style='text-align: center' Height='171px'

                   Width="266px"  VisibleWhenLoggedIn="True" TextLayout="TextOnTop">

       <TextBoxStyle Font-Size="0.8em" />

       <LoginButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" BorderStyle='Solid'

           BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em" ForeColor="#284775" />

       <InstructionTextStyle Font-Italic="True" ForeColor="Black" />

       <TitleTextStyle BackColor="#5D7B9D" Font-Bold="True" Font-Size="0.9em"

           ForeColor="White" />

   </asp:Login>

VB

Partial Class Login

   Inherits System.Web.UI.Page

End Class

please do guide me in this.need this urgent .thanks

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Wednesday, November 9, 2011 11:13 AM by guru_sarkar

Braveen,

Check this: weblogs.asp.net/.../redirecting-the-users-to-different-pages-based-on-there-roles.aspx

You use the Login control's LoggedIn event and check if the role of the user and redirect them accordingly.

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Thursday, March 1, 2012 9:47 PM by arun

hai i have created login page with session but when it is load it will not go to the target page it is still loading and also how to block the unauthorized person  from the access of admin page using session

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Monday, March 5, 2012 11:19 AM by guru_sarkar

@Arun,

Without looking at the code it is hard to give any suggestions.

For restriction to admin page, you will need to add another variable in the session e.g. isAdmin. Upon login you set that session and upon admin pageload you check the value of the session and determin if the user should be given access or redirect to unauthorized page.

Hope this helps.

# re: Redirect unauthorized users to Custom Access Denied page instead of login page

Thursday, July 19, 2012 11:55 AM by Fabienne Bonzon

Most useful! Thank you for this simple solution

Leave a Comment

(required) 
(required) 
(optional)
(required)