Tuesday, February 18, 2014

Redirect Unauthorized Users in ASP.NET using the SuppressFormsAuthenticationRedirect property

Not really sure why it took the ASP.NET team so long to make this fix, nor while I just found out about it now, but when using Forms Authentication in a website, you now have the ability to catch unauthorized users and redirect them to an unauthorized page, rather than redirecting to the default login page.  This is done via the SuppressFormsAuthenticationRedirect HTTPResponse property.
Up until ASP.NET 4.5, when a user was unauthorized to access a website resource, the user was redirected to the default login page as identified in the web.config.  This made for some messy code, as you had to check if there was a redirect URL, if the user was authenticated, etc. to determine if you should display a message to the user essentially saying “Youre logged in but were redirected to the login page not to login but because you we’re trying to do something you shouldn’t be doing.. so here’s a login form.. but don’t login”.  (Told you it was messy).
This happened because when an unauthorized request occurred, ASP.NET returned an HTTP 302 – which is a redirect.  So ASP.NET did you a “favor” and redirected the user to a login page.  In ASP.NET you can suppress this, meaning that rather than a 302 redirect, you can get the “raw” 401.2 error code.  This is nice, because now you can response to a 401 error code and redirect the user, rather than guessing why the user wound up at the login page of your website.
The code’s pretty simple, and all involves the Global.asax:

1. Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)

2. ' Fires at the beginning of each request


4. 'If user is unauthorized, rather than a 302 redirect, a 401.2 is sent instead

5. HttpContext.Current.Response.SuppressFormsAuthenticationRedirect = True


7. End Sub

8. Sub Application_EndRequest(ByVal sender As Object, ByVal e As EventArgs)

9. Dim application As HttpApplication = CType(sender, HttpApplication)


11. If application.Response.StatusCode <> 401 OrElse Not application.Request.IsAuthenticated Then

12. Return

13. Else

14. 'If we have a 401 then user is unauthorized..

15. If application.Response.StatusCode = 401 Then Response.Redirect("~/Unauthorized.aspx")

16. End If

17. End Sub

See what we’re doing there?  Application_BeginRequest tells the HTTPResponse to “suppress” the redirect activity.  The Application_EndRequest looks at the resulting status code for all requests when complete.  If the request is a 401, then we can redirect the user to the appropriate page, in this case, the Unauthorized.aspx page off of my web root.

No comments:

Post a Comment