Why no 403 error for Forms Auth?

B

Brad

Stupid question time: Why does Forms Auth just keep going to the login page
when access is denied? A 403 error is never raised..at least in my testing
it doesn't.

If I have a particular web or just a page secured then anyone accessing the
page, who is already authenticated but not a permitted user or perhaps not
in a permitted role, will just keep getting the login page. If the user is
permitted or is in the proper role they do get access (yes, I have code in
Application_AuthenticateRequest to populate roles for the user context).
But if using Windows Auth and Windows Roles then a 403 is raised if the user
attempts to access a secure site or page.

It would seem I have to use the User.IsInRole test on each secured page to
throw an access denied error and send the user to an access denied page.
 
C

Craig Deelsnyder

Brad said:
Stupid question time: Why does Forms Auth just keep going to the login page
when access is denied? A 403 error is never raised..at least in my testing
it doesn't.

If I have a particular web or just a page secured then anyone accessing the
page, who is already authenticated but not a permitted user or perhaps not
in a permitted role, will just keep getting the login page. If the user is
permitted or is in the proper role they do get access (yes, I have code in
Application_AuthenticateRequest to populate roles for the user context).
But if using Windows Auth and Windows Roles then a 403 is raised if the user
attempts to access a secure site or page.

It would seem I have to use the User.IsInRole test on each secured page to
throw an access denied error and send the user to an access denied page.
Click to expand...

My understanding is that 403 is a server code sent by IIS, meaning you
have no access. It reads the security setup in IIS, not the forms
authentication info. This forms authentication code is separate, and
run after IIS hands the request off to the aspnet process (where forms
auth happens).
 
J

John Saunders

Brad said:
Stupid question time: Why does Forms Auth just keep going to the login page
when access is denied? A 403 error is never raised..at least in my testing
it doesn't.
Click to expand...

The 403 is being raised, but the Forms Authentication module sees this
status code as it is being sent back out. It reacts to the 403 by
redirecting to the login page.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Axios 403 error when sending get request 3
Login form no longer working 2
Need tips on adding an auth layer to an existing webapp 1
forms auth ticket expiration 2
Forms Auth (roles being ignored) 0
Windows Auth, but Forms Auth for one page? 1
Forms auth for directory 4
Why is Python telling me variable is local not global? 3

Members online

No members online now.
Total: 26 (members: 0, guests: 26)
Robots: 315

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,007
Latest member
obedient dusk

Latest Threads

Top