Changing ASP.NET Forms Authorization Redirection

ASP.NET makes it easy to configure Forms Authentication and Authorization, including automatically redirecting you to the login page when necessary.  The problem is that it also redirects authenticated users to the login page when they attempt to access pages that they are not authorized to access.  This gives you the opportunity to login as someone else, and then be automatically redirected back to the page you originally attempted to access.  But that may not be the behavior you want for authenticated users -- do your users really have multiple logins and do they understand why they end up back at the login page?  Instead, I want my authenticated users to be redirected to some other page that tells them they do not have access, and possibly gives them a way to contact an administrator.  So here's the code that you need to put in your Global.asax file:

protected void Application_AuthorizeRequest(Object sender, EventArgs e) {
  if (this.Request.Path.ToUpper().EndsWith("LOGIN/DEFAULT.ASPX") && this.Request.IsAuthenticated) {
    this.Response.Redirect("~/Login/Unauthorized.aspx");
  }
}

Note that this will prevent any users with multiple logins from being able to switch their login -- the solution for them is to first logout, or close and reopen the browser.

Published Tuesday, May 11, 2004 12:20 PM by PaulWilson

Comments

# re: Changing ASP.NET Forms Authorization Redirection

Wouldnt it be less costly to check for this on your login page?

Tuesday, May 11, 2004 12:25 PM by M. Keith Warren

# re: Changing ASP.NET Forms Authorization Redirection

The point is that I do NOT want to be redirected back to the login page. Now you could have your login page dynamically change from being a login page to a page that tells the user they aren't authorized, if that's what you mean -- but that's not really the behavior I want.

Tuesday, May 11, 2004 12:28 PM by Paul Wilson

# re: Changing ASP.NET Forms Authorization Redirection

More alluding to the fact that you could check at the load of the login page to determine if the user is authed and if so then transfer them to the appropriate 'you got no access' page.

In this case you are only using cylces for this logic in the case that your user happens to actually come across a page while having insufficient credentials, whereas in the GASA event you run the logic for every single request.

Tuesday, May 11, 2004 12:35 PM by M. Keith Warren

# re: Changing ASP.NET Forms Authorization Redirection

OK, I'll buy that. It does also simplify the logic:
if (this.Request.IsAuthenticated) {
this.Response.Redirect("~/Login/Unauthorized.aspx");
}

Tuesday, May 11, 2004 12:57 PM by Paul Wilson

# RE: Changing ASP.NET Forms Authorization Redirection

Tuesday, May 11, 2004 1:58 PM by TrackBack

# re: Changing ASP.NET Forms Authorization Redirection

I've run into this problem before and couldn't find a built in solution so I placed the authorization logic in a base page while having asp.net responsible for authentication. The inheriting page overrides an abstract method that returns the allowed roles. Not the best solution since an access change requires a recompile but in most apps I've come across this isn't often. Hopefully this will be addressed in asp.net 2.0

Wednesday, May 12, 2004 11:45 AM by Jason Nesbitt

# re: Changing ASP.NET Forms Authorization Redirection

I've faced the same situation, but the solution you provide is not working in all cases.
Let's say you want to add a link "Connect using another login" to the Login page on the "Unauthorized" page. In that case, IsAuthenticated is always true, and that prevents the access to the Login page to reconnect. Unless your link performs a postback and signs out.

What I ended with is the following:
- In web.config, the loginUrl is the Unautorized page.
- The user gets redirected to that page when he tries to access a page without being authenticated AND when he tries to access a page without the right permission.
- The Unauthorized page has to links : "Go back" and "Connect using another login".
- If the user accesses the application through the Login.aspx URL, he doesn't see the Unauthorized page. Of course, if he tries to access another page without being authenticated, he will see the Unauthorized page.

Let's hope the ASP.NET team cooked something better for the next version!

Tuesday, May 18, 2004 9:52 AM by Fabrice

# re: Changing ASP.NET Forms Authorization Redirection

Excellent comments Fabrice. Thanks.

Tuesday, May 18, 2004 11:12 AM by Paul Wilson

# re: Changing ASP.NET Forms Authorization Redirection

Another way to accomplish the same result in ASP.NET 2.0 is to use a LoginView control on your login page.  If a user is not logged in, you can display the Login control using the <AnonymousTemplate> section of the control.  Otherwise, you can display the not authorized message in the <LoggedInTemplate> of the control.

Thursday, September 06, 2007 11:30 AM by Jonathan

Leave a Comment

(required) 
(required) 
(optional)
(required)