Why no 403 error for Forms Auth?

  • Thread starter Thread starter Brad
  • Start date Start date
B

Brad

Stupid question time: Why does Forms Auth just keep going to the login page
when access is denied? A 403 error is never raised..at least in my testing
it doesn't.

If I have a particular web or just a page secured then anyone accessing the
page, who is already authenticated but not a permitted user or perhaps not
in a permitted role, will just keep getting the login page. If the user is
permitted or is in the proper role they do get access (yes, I have code in
Application_AuthenticateRequest to populate roles for the user context).
But if using Windows Auth and Windows Roles then a 403 is raised if the user
attempts to access a secure site or page.

It would seem I have to use the User.IsInRole test on each secured page to
throw an access denied error and send the user to an access denied page.
 
Brad said:
Stupid question time: Why does Forms Auth just keep going to the login page
when access is denied? A 403 error is never raised..at least in my testing
it doesn't.

If I have a particular web or just a page secured then anyone accessing the
page, who is already authenticated but not a permitted user or perhaps not
in a permitted role, will just keep getting the login page. If the user is
permitted or is in the proper role they do get access (yes, I have code in
Application_AuthenticateRequest to populate roles for the user context).
But if using Windows Auth and Windows Roles then a 403 is raised if the user
attempts to access a secure site or page.

It would seem I have to use the User.IsInRole test on each secured page to
throw an access denied error and send the user to an access denied page.

My understanding is that 403 is a server code sent by IIS, meaning you
have no access. It reads the security setup in IIS, not the forms
authentication info. This forms authentication code is separate, and
run after IIS hands the request off to the aspnet process (where forms
auth happens).
 
Brad said:
Stupid question time: Why does Forms Auth just keep going to the login page
when access is denied? A 403 error is never raised..at least in my testing
it doesn't.

The 403 is being raised, but the Forms Authentication module sees this
status code as it is being sent back out. It reacts to the 403 by
redirecting to the login page.
 
Back
Top