Redirect unauthorized users to Custom Access Denied page instead of login page

Tuesday, January 12, 2010

Scenario:

Say you are using Forms Authentication and have set up authorization in your web.config to allow access to particular users or roles and/or denying anonymous access.

1: Deny Anonymous users:When an unauthenticated user tries to access a secured page, by its default behavior users will be redirect to your login page or I should say the loginUrl set in the forms element of your web.config.

2: Allow certain Roles: Now say if a user is already authenticated and tries to access a page allowed only to the users in particular role e.g. "admin", you will see the same behavior as for anoymous users above. The authenticated user is redirected to login page.

In second case, most of the time, it makes sense to redirect unauthorized users to a different page that displays appropriate message like "Access Denied".

The first idea would be to use customErrors element in the web.config.

<customErrors mode="On" defaultRedirect="~/GenericErrorPage.htm" >

<error statusCode="401" redirect="~/unauthorized.htm"/>

</customErrors>

But that won't work becuase the FormsAuthenticationModule modifies the 401 status to 302 redirect status and redirects the user to login page. For more detailed information check here.

Solution:

1: Add and design a page (e.g. "unauthorized.aspx") with appropriate access denied message.

2: Add this code to the Page_Load of your login page. (Note: Originally discussed here)

protected void Page_Load(object sender, EventArgs e)

{

if (!Page.IsPostBack)
{

if (Request.IsAuthenticated && !string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
Response.Redirect("~/unauthorized.aspx");

}

}

Resources:

http://www.asp.net/learn/security/tutorial-07-cs.aspx

http://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx

13 Comments

Hi,
could you give this example in vb.net 2008 ?

How can we right the below code in vb. ?

protected void Page_Load(object sender, EventArgs e)
{

if (!Page.IsPostBack)
{

if (Request.IsAuthenticated && !string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))

Response.Redirect("~/unauthorized.aspx");
}

}

selenerdogmus - Wednesday, April 28, 2010 7:53:17 AM

Very nice!

Rick.Gwu - Thursday, September 23, 2010 5:59:36 PM

its nice and simple to understand.

navaz shaik - Wednesday, December 29, 2010 5:46:55 AM

Hi,

I have a wired scenario in one of my ASP.net application.

I am using ASP.net membership with my custom "roleManager",

and having below tag in web.config to restrict any user not having role of "Keywords"(roles) to access "Keywords"(path) folder

<location path="Keywords">

<system.web>

<authorization>

<allow roles="Keywords"/>

<deny users="*" />

</authorization>

</system.web>

</location>

If any user with some other role allow to assess this URL (Keywords in this case) will be redirected to a custom- Access denied page.

Now things working fine but when I left my application with a inactivity of 30 min I am not able to visit the "Keywords", all the time I end up with the custom- Access denied page, if I close the browser, login again it start working fine.

Please help me in this case.

Thanks in advance

Chandrabhan singh - Tuesday, February 8, 2011 2:50:46 PM

Chandrabhan,
I am not sure why that might be happening. Try posting your question on Security forum here:
http://forums.asp.net/25.aspx?Security

guru_sarkar - Monday, February 14, 2011 5:05:39 PM

Chandrabhan,

Forms Authentication timeout defaults to 30 minutes which is why after a period of 30 minutes inactivity you are no longer authenticated.  You can override this default value in web.config:

       <authentication mode="Forms">

           <forms loginUrl="~/Login.aspx" cookieless="UseCookies" timeout="1440" />

       </authentication>

The timeout value is in minutes.

Cheers.

Jack - Tuesday, February 15, 2011 2:18:38 AM

Jack,
That's correct that default timeout is 30 mins but changing that won't remove the problem. Leaving the application for 1440mins will cause the same issue.

Chandrabhan,
I was just wondering, what is the return URL after timeout and you taken to the login page? I believe if it is to the accessdenied page which could be a cause.

guru_sarkar - Tuesday, February 15, 2011 4:00:17 PM

Hi,

iam not using Login COntrol.. whenever iam doing Request.Authenticate it give false.. if iam using page.user.identity.isauthenticated.. then to it returns false... any idea..

Deepti - Wednesday, April 6, 2011 3:52:49 PM

Hi there...i'm having some problem over here..when user enter their id,it will show up the main page and its for user but when admin enter their id,it will enter the user's main page and i have to click admin site on the top hyperlink and it automatically logout and once i enter back admin passwrd and then only it redirect to admin page.how to make it like once user enter their passwrd it redirect to user page and once admin enter admin password in the login it redirect to admin ?I have 3 roles over here which are admin,staff and user.Hereby i'll provide you my aspx code and also my vb code which is running behind the program.please do assist me.thanks

ASPX

<asp:Login ID="Login1" runat="server" BackColor="#009933" BorderColor="Red"

       BorderPadding="4" BorderStyle='Ridge' BorderWidth='1px' Font-Names='Verdana'

       Font-Size="0.8em" ForeColor="Red"

       DestinationPageUrl="~/MainPage.aspx" style='text-align: center' Height='171px'

                   Width="266px"  VisibleWhenLoggedIn="True" TextLayout="TextOnTop">

       <TextBoxStyle Font-Size="0.8em" />

       <LoginButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" BorderStyle='Solid'

           BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em" ForeColor="#284775" />

       <InstructionTextStyle Font-Italic="True" ForeColor="Black" />

       <TitleTextStyle BackColor="#5D7B9D" Font-Bold="True" Font-Size="0.9em"

           ForeColor="White" />

   </asp:Login>

VB

Partial Class Login

   Inherits System.Web.UI.Page

End Class

please do guide me in this.need this urgent .thanks

Braveen - Wednesday, November 9, 2011 1:00:56 PM

Braveen,
Check this: http://weblogs.asp.net/anasghanem/archive/2008/04/12/redirecting-the-users-to-different-pages-based-on-there-roles.aspx

You use the Login control's LoggedIn event and check if the role of the user and redirect them accordingly.

guru_sarkar - Wednesday, November 9, 2011 4:13:24 PM

hai i have created login page with session but when it is load it will not go to the target page it is still loading and also how to block the unauthorized person  from the access of admin page using session

arun - Friday, March 2, 2012 2:47:17 AM

@Arun,
Without looking at the code it is hard to give any suggestions.
For restriction to admin page, you will need to add another variable in the session e.g. isAdmin. Upon login you set that session and upon admin pageload you check the value of the session and determin if the user should be given access or redirect to unauthorized page.

Hope this helps.

guru_sarkar - Monday, March 5, 2012 4:19:55 PM

Most useful! Thank you for this simple solution

Fabienne Bonzon - Thursday, July 19, 2012 3:55:25 PM

Comments have been disabled for this content.