When unauthorization, the FormAuthenticationModule is forced to redirect to loginUrl.
And when I use ASP.NET Web API, I think that it is inappropriate to let a client redirect it.
The clients (such as the WebClient) access a URL after the redirection and obtain a result.
However, because a URL after the redirection is a login URL, there cannot be the thing that result (HTTP status code 401) to expect is returned. Users usually judge authentication with status code.
The current workaround is to change the status code from 302 to 401 in Application_EndRequest() event handler.
But, this solution is not generic. I would like a simpler solution. For example, FormAuthenticationModule gives back a status code 401 (not redirect and 302) when a developer sets a flag in forms element in web.config.
<forms redirect="False" protection="All" timeout="20160" cookieless="UseCookies" name="sample" slidingExpiration="true" path="/" />