Hi Join,
Thanks for posting in the community!
From your description, you used Formauthentication in your ASP.NET web app.
And you used an ASPX page as the defaultredirect error page. However, you
found that when error occured , the user will be redirectd to the login
page rather than the custom error page unless you use server.transfer to
manually direct the user to the error page in Application_Error event, yes?
If there is anything I misunderstood, please feel free to let me know.
I think the problem you met is an existing issue with the Custom Error
Handlering and your situation is accientally made more complex since you
used FormsAuthentication and the custom error page is protected from
unauthenticated user(deny="?" ) yes? Here is the detailed reasons:
1. As the kb article as mentioned:
-----------------------------------
Note The page that is specified in defaultRedirect of the <customErrors>
section is an .htm file. If you intend to use GetLastError in an .aspx page
(which the Page_Error and Application_Error samples do), you must store the
exception in a session variable or some other approach before the redirect
takes place.
------------------------------------
This is because after the Application_Error event, the ASP.NET runtime will
stop the current session which throws the error and start a new session
(and also clear the server errors). That's why the article told us to use
some other approachs to store the error infos. However, it didn't mention
another thing that since the session will be replaced by a new one, we
can't simply use session to store the error. One way to workarount it is
use the "Server.Transfer" method manualy redirect the user to the custom
error page( I noticed you've found this way). The server.transfer won't
clear the server error and also the current session will remain and not be
replaced by a new started one. Here is a former post discussing on this
issue, you may view my reply there via the following weblink in google:
http://groups.google.com/groups?hl=e...ame=right&th=c
4385267d67065bd&seekm=qzzKYoi6DHA.2768%40cpmsftngx a07.phx.gbl#link4
2. As for the redirected to login page rather than the error page. This is
because you used the formauthentication. I think you have also make the
custom error page protected from unauthenticated user, yes? As I mentioned
above, after the Application_Error event, if you don't use Serve.Transfer
to manually direct user to the error page, the ASP.NET will clear the
server error and start a new session, also that cause the current request
become unauthenticated , then the user is redirected to the login page, do
you think so?
As for this issue, I think you can make the custom error page allowed by
unauthenticated user, such as:
<configuration>
<system.web>
//main setting here
</system.web>
<location path="custom_error_page.aspx" >
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
Please check out the preceding suggestions. If you feel anything still
unclear , please feel free to post here.
Regards,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx