Forms Authentication - How to tell a user they aren't authorized to access a page(s)

Question

User-106241125 posted

In my Web Forms application, I'm using Forms Authentication. Within this application I have a folder of aspx pages that can only be accessed by users in a specific role. I have added a web.config to this folder and configured it as so:

<system.web>
        <authorization>

            <allow roles="AccountingStaff" />
            <deny users="*"/>

        </authorization>
    </system.web>

Everything works great and without issue.

What I would like to know is: How do I prompt a user who is not in the specified role that access is denied to them when they try to access a page in that folder? Currently they get redirected to my login page (correct - because the app knows they aren't authorized and is asking for credentials of someone who is) which is fine but my user doesn't know that is the issue. They just tell me the application kicked them out for no reason and something must be broken.

Is there a way to tell WHY someone was redirected to the login page so I can display a message explaining why they are being asked to login? Or maybe catch and handle the problem when the try to access the page they don't have permissions for?

Thanks

Pete

Answer 1

User753101303 posted

Hi,

How do they get at this page? A first step might be to avoid showing a link to a page for which the user is not authorized (you have multiple ways to do that depending on which navigation controls you are using).

Answer 2

User-106241125 posted

They navigate to pages in this folder 90% of the time from a menu. I am using a devexpress aspxmenu control.

In other cases it may be a link from another page.

Pete

Answer 3

User475983607 posted

They navigate to pages in this folder 90% of the time from a menu. I am using a devexpress aspxmenu control.

In other cases it may be a link from another page.

Pete

The point is, you should not let user click a menu item they can't access.  The ASP menus has the ability to filter the menu based on roles.

https://msdn.microsoft.com/en-us/library/e468hxky.aspx

https://msdn.microsoft.com/en-us/library/ms178428.aspx

Consult the devexpress aspmenu control to see if it has something similar.

Answer 4

User-106241125 posted

I like the approach of hiding navigation elements in the first place and DevExpress does have a way of implementing sitemap trimming based on roles so this will work for me. Thanks for the help.

I'd still like to know if there is a way of letting a user know they are not authorized to view page regardless of how they land on it (shortcut in their favorites, typing the url in the address bar, etc.)

Thanks again

Pete

Answer 5

User409696431 posted

There are multiple ways, but a simple one is to test if the person loading the login page is in fact already logged in.  If so, instead of showing them the login control (hide it), show them a message saying something like "You have tried to reach part of the site you are not authorized for", and make sure they have a visible menu they can use to get back to where they belong.

Answer 6

User-106241125 posted

Thanks very much Kathy.

This will work fine.

Pete