| Bug #36938 | 'Not authorized' redirects, but should set http status to 403 | ||
|---|---|---|---|
| Submitted: | 24 May 2008 13:35 | Modified: | 29 May 2008 22:51 |
| Reporter: | Poul Bak | Email Updates: | |
| Status: | Not a Bug | Impact on me: | |
| Category: | Connector / NET | Severity: | S4 (Feature request) |
| Version: | 5.2.2 | OS: | Windows |
| Assigned to: | CPU Architecture: | Any | |
| Tags: | authentication, authorization, membershipmanager, rolemanager | ||
[29 May 2008 22:51]
Poul Bak
I have just found out, that FormsAuthentication is the cause of this.
My workaround: Subscribe to PostAuthenticateRequest event and call:
private void CheckNotAuthorized(HttpContext context)
{
if ((context.User != null) && (context.User.Identity != null) && context.User.Identity.IsAuthenticated
&& !UrlAuthorizationModule.CheckUrlAccessForPrincipal(context.Request.AppRelativeCurrentExecutionFilePath,
context.User, context.Request.HttpMethod))
{
throw new HttpException(403, Resources.Statuskoder.Status403);
}
}
Description: When a user isn't authenticated he/she is correctly redirected to the loginpage. But when he/she is authenticated but NOT authorized, they also get redirected. That is wrong. Users get confused ("I'm already logged in, why must I log in again?"). Displaying an "Access denied" page is much better - that explains why they don't get the page, they requested. How to repeat: For testing, simply set up a subfolder with: <deny users="*"/> and try to access this page, AFTER you have logged in. Suggested fix: Solution: Simply throw an exception: throw new HttpException(403, "Forbidden"); Now the following (taken from default web.config) will work: <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm"> <error statusCode="403" redirect="NoAccess.htm" /> ... and control-freaks (like me) can catch it in the custom error modul. ... and if a user want the current behaviour, they can simply do: <error statusCode="403" redirect="login.aspx" /> All in all, much more intuitive and customizable.