FormAuthenticationModule is forced to redirect when unauthorization


When unauthorization, the FormAuthenticationModule is forced to redirect to loginUrl.
And when I use ASP.NET Web API, I think that it is inappropriate to let a client redirect it.

The clients (such as the WebClient) access a URL after the redirection and obtain a result.
However, because a URL after the redirection is a login URL, there cannot be the thing that result (HTTP status code 401) to expect is returned. Users usually judge authentication with status code.

The current workaround is to change the status code from 302 to 401 in Application_EndRequest() event handler.

See also:

But, this solution is not generic. I would like a simpler solution. For example, FormAuthenticationModule gives back a status code 401 (not redirect and 302) when a developer sets a flag in forms element in web.config.

<authentication mode="Forms">
<forms redirect="False" protection="All" timeout="20160" cookieless="UseCookies" name="sample" slidingExpiration="true" path="/" />
Closed Jun 10, 2013 at 8:43 PM by hongyes


sebastienros wrote Mar 30, 2012 at 10:21 AM

Fixed in changest ae1164a2e339

buchizo wrote Mar 30, 2012 at 10:54 AM

Hi sebastienros,
Thanks a lot.

HongmeiG wrote Apr 3, 2012 at 7:31 AM

Per Sebastien's comment, this is now fixed so we no longer redirect.