8

Closed

FormAuthenticationModule is forced to redirect when unauthorization

description

When unauthorization, the FormAuthenticationModule is forced to redirect to loginUrl.
And when I use ASP.NET Web API, I think that it is inappropriate to let a client redirect it.

The clients (such as the WebClient) access a URL after the redirection and obtain a result.
However, because a URL after the redirection is a login URL, there cannot be the thing that result (HTTP status code 401) to expect is returned. Users usually judge authentication with status code.

The current workaround is to change the status code from 302 to 401 in Application_EndRequest() event handler.

See also:
http://stackoverflow.com/questions/3978334/asp-net-mvc-authorize-attribute-does-a-302-redirect-when-the-user-is-not-authori

But, this solution is not generic. I would like a simpler solution. For example, FormAuthenticationModule gives back a status code 401 (not redirect and 302) when a developer sets a flag in forms element in web.config.

<authentication mode="Forms">
<forms redirect="False" protection="All" timeout="20160" cookieless="UseCookies" name="sample" slidingExpiration="true" path="/" />
</authentication>
Closed Jun 10, 2013 at 7:43 PM by hongyes
Verified

comments

sebastienros wrote Mar 30, 2012 at 9:21 AM

Fixed in changest ae1164a2e339

buchizo wrote Mar 30, 2012 at 9:54 AM

Hi sebastienros,
Thanks a lot.

HongmeiG wrote Apr 3, 2012 at 6:31 AM

Per Sebastien's comment, this is now fixed so we no longer redirect.