468,103 Members | 1,186 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,103 developers. It's quick & easy.

Why no 403 error for Forms Auth?

Stupid question time: Why does Forms Auth just keep going to the login page
when access is denied? A 403 error is never raised..at least in my testing
it doesn't.

If I have a particular web or just a page secured then anyone accessing the
page, who is already authenticated but not a permitted user or perhaps not
in a permitted role, will just keep getting the login page. If the user is
permitted or is in the proper role they do get access (yes, I have code in
Application_AuthenticateRequest to populate roles for the user context).
But if using Windows Auth and Windows Roles then a 403 is raised if the user
attempts to access a secure site or page.

It would seem I have to use the User.IsInRole test on each secured page to
throw an access denied error and send the user to an access denied page.
Nov 18 '05 #1
2 1519
Brad wrote:
Stupid question time: Why does Forms Auth just keep going to the login page
when access is denied? A 403 error is never raised..at least in my testing
it doesn't.

If I have a particular web or just a page secured then anyone accessing the
page, who is already authenticated but not a permitted user or perhaps not
in a permitted role, will just keep getting the login page. If the user is
permitted or is in the proper role they do get access (yes, I have code in
Application_AuthenticateRequest to populate roles for the user context).
But if using Windows Auth and Windows Roles then a 403 is raised if the user
attempts to access a secure site or page.

It would seem I have to use the User.IsInRole test on each secured page to
throw an access denied error and send the user to an access denied page.


My understanding is that 403 is a server code sent by IIS, meaning you
have no access. It reads the security setup in IIS, not the forms
authentication info. This forms authentication code is separate, and
run after IIS hands the request off to the aspnet process (where forms
auth happens).

--
Craig Deelsnyder
Microsoft MVP - ASP/ASP.NET

Nov 18 '05 #2
"Brad" <no****@co.lane.or.us> wrote in message
news:e3**************@TK2MSFTNGP09.phx.gbl...
Stupid question time: Why does Forms Auth just keep going to the login page when access is denied? A 403 error is never raised..at least in my testing it doesn't.


The 403 is being raised, but the Forms Authentication module sees this
status code as it is being sent back out. It reacts to the 403 by
redirecting to the login page.
--
John Saunders
John.Saunders at SurfControl.com
Nov 18 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by Chris Mohan | last post: by
3 posts views Thread by Smokey Grindle | last post: by
8 posts views Thread by =?Utf-8?B?TFc=?= | last post: by
4 posts views Thread by =?Utf-8?B?RmFyaWJh?= | last post: by
1 post views Thread by Solo | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.