Geeks With Blogs
Will Smith The Blog in Black
First of all, since my last post indicated I would be gone a while because of Huricane Ike, I guess it wouldn't hurt to provide an update.  Well, I still have a little bit of work to do on the house, but things are mostly back to normal for me.  There are still a lot of people in the Houston area recovering from the storm.  I've personally helped clean up two homes that had water 4-5 feet high on the first floor.  This makes me all the more glad that I am on the north side away from the storm surge.

Anyway, I thought I would just jump right back in the saddle with something that I've found lots of people asking about but only a few solutions.  All of the solutions I have found (including my own adapted solution) are specific to a particular ASP.Net configuration.

The problem: Redirect a user to an Unauthorized page when they attempt to navigate to a page they have no access to.  There are many nuances to this problem.  It really all depends on your ASP.Net configuration.  Are you using Windows authentication?  Forms Authentication?  Are you using membership and role providers?

My specific situation is an ASP.Net web site that uses both Membership and Role providers, in addition to Forms authentication.  The crux of the problem is that ASP.Net is too smart for it's own good.  When you set up Forms authentication in the web.config, one of the attributes includes the loginUrl.  This is used, firstly, for identifying the login page when the user is not yet authenticated.

When you throw authorization into the mix, the loginUrl is used yet again.  The FormsAuthenticationModule intercepts any 401 (not authorized) sent by the UrlAuthorizationModule and translates it into a 302 (redirect), redirecting to the login page.  I'm not quite sure why it was designed this way.  Clearly based on all of the posts on the net, there is a high demand for different behavior (that is, a separate "unauthorized" page).

The solution:  After playing with various solutions, I finally adapted a few of them into something I am comfortable with.  Granted, this is proprietary to ASP.Net's current behavior and may require changing in the future.  Hopefully, when a change is required, it will mean that Microsoft has provided a better solution (perhaps another web config attribute for the unauthorized page, or honoring the customErrors configuration).

Regardless, my solution involves intercepting the EndRequest event on the Application instance:

    1     void Application_EndRequest( object sender, EventArgs e )
    2     {
    3         if(User.Identity.IsAuthenticated && Response.StatusCode == 302 && Response.RedirectLocation.ToUpper().Contains( "LOGIN.ASPX" ))
    4         {
    5             if(!UrlAuthorizationModule.CheckUrlAccessForPrincipal( Request.FilePath, User, "GET" ))
    6             {
    7                 Response.RedirectLocation = "/Unauthorized.aspx";
    8             }
    9         }
   10     }

Basically, I check to see if the response is a redirect to the login page and if the user has already been authenticated.  Finally, I check to see if the user does not have access from the original requested page.  If all of those conditions are true, then I redirect them to the unauthorized page, instead of the login page.

Anyway, I hope this helps someone.  Now at least I won't have to search too long the next time I need it.

Happy coding

Posted on Tuesday, October 14, 2008 5:53 PM .Net , ASP.Net | Back to top

Comments on this post: Unauthorized Page with Forms Authentication

# re: Unauthorized Page with Forms Authentication
Requesting Gravatar...
Thanks dude, I've been looking for something like this for a few hours and finally came across your blog. This is the only thing that worked for me. I think MS should consider fixing this since it's something that a lot of ppl are looking for. Redirecting to login page is not the most elegant way of dealing with the problem.
Left by Iuliu Sandu on Dec 08, 2008 6:14 AM

# It does not work for me...
Requesting Gravatar...
The problem is Response.RedirectLocation never contains the login page. I suppose that since i'm logged in, the login page redirects to the root of my secured web application and I see the root of my application as Response.RedirectLocation.
Left by Maxime on Feb 20, 2009 8:56 AM

# re: Unauthorized Page with Forms Authentication
Requesting Gravatar...
Maxime, did you find something that works for you?
Left by Will on Feb 23, 2009 4:55 PM

# re: Unauthorized Page with Forms Authentication
Requesting Gravatar...
It appears that there is much simpler solution. Take look at Step 2 in the article at
Left by Raghu on Jul 18, 2009 3:07 AM

# re: Unauthorized Page with Forms Authentication
Requesting Gravatar...
can i know this few lines must paste in where?
Left by ling on Jan 24, 2010 6:29 AM

# re: Unauthorized Page with Forms Authentication
Requesting Gravatar...

This code belongs in the global.asax file. If you don't have one in your project, you can add on with the Add Item dialog.
Left by Will on Jan 26, 2010 8:21 PM

# re: Unauthorized Page with Forms Authentication
Requesting Gravatar...
Great post, thx!
I searched the net for 3 days to find the solution all hacks proposed simply did not work with ASP.NET 4.0. This one does!
Left by SoloWorg on Jun 04, 2011 5:02 AM

Your comment:
 (will show your gravatar)

Copyright © Will Smith | Powered by: