locked
Redirect unauthorised user to message page in ASP .Net. RRS feed

  • Question

  • User1983906528 posted

    I am using ASP .Net (C#) login control Form Based authentication for users and administrator,
    I have folder Secure and Public, after passing authentication, administrator can access
    secure and public both folder, but when user login he should have access to only public folder
    not secure, so if user click on any link from website which has URL to secure folder instead
    of login page how to redirect user to page which display unauthoised access message.

    When logged in as administrator I can debug (in secure folder) page load event, but when logged
    in as user i can not even reach to debug (in secure folder).

    I am still in Dev. Environment.
    Web.Config file :

    <authentication>
                     <forms loginUrl="MainLogin.aspx" defaultUrl="Default.aspx" />
    </authentication>

    Web.Config file in Secure Folder:
    <?xml version="1.0" encoding="utf-8"?>

    <configuration>
         <system.web>
             <authorization>
                   <allow users="webadmin" />
                   <allow roles="Webmaster" />
                  <deny users="*" />
              </authorization>
         </system.web>
    </configuration>


    Thanks in advance
    Sultan.

    Monday, May 19, 2014 8:28 PM

Answers

  • User1983906528 posted

    Thank Shawn for your reply,

    I have already changed authentication mode from “Forms” to “Windows”  and  
    used “custom error”, since then it is redirecting unauthorised users to “unauthorised.aspx” page.

    Thanks
    Sultan.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, May 30, 2014 12:11 AM

All replies

  • User-1818759697 posted

    Hi,

    For this situaiton, you are using Forms Authentication and have set up authorization in your web.config to allow access to particular users or roles and/or denying anonymous access, if you want to Redirect unauthorized users to Custom Access Denied page instead of login page:

    most of the time, it makes sense to redirect unauthorized users to a different page that displays appropriate message like "Access Denied".  

    The first idea would be to use customErrors element in the web.config:

    <customErrors mode="On" defaultRedirect="~/GenericErrorPage.htm" >
    
      <error statusCode="401" redirect="~/unauthorized.htm"/>
    
     </customErrors>
    
    

    But that won't work becuase the FormsAuthenticationModule modifies the 401 status to 302 redirect status and redirects the user to login page. For more detailed information check here.

    Solution:

    1: Add and design a page (e.g. "unauthorized.aspx") with appropriate access denied message.

    2: Add this code to the Page_Load of your login page. (Note: Originally discussed here)

    protected void Page_Load(object sender, EventArgs e)
    {
    
    if (!Page.IsPostBack) 
    {
    
    if (Request.IsAuthenticated && !string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
    
    Response.Redirect("~/unauthorized.aspx");
    }
    
    }
    
    

    For more information, you could refer to:

    http://weblogs.asp.net/gurusarkar/archive/2010/01/12/redirect-unauthorized-users-to-access-denied-page-instead-of-login-page.aspx

    http://stackoverflow.com/questions/4834387/how-to-redirect-users-to-an-asp-net-page-when-not-authorized

    Regards

    Tuesday, May 27, 2014 2:17 AM
  • User1983906528 posted

    Thank Shawn for your reply,

    I have already changed authentication mode from “Forms” to “Windows”  and  
    used “custom error”, since then it is redirecting unauthorised users to “unauthorised.aspx” page.

    Thanks
    Sultan.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, May 30, 2014 12:11 AM