Forms authentication: disable redirect to the login page

Question

I have an application that uses ASP.NET Forms Authentication. For the most part, it\'s working great, but I\'m trying to add support for a simple API via an .ashx file. I wa

Answer 1

I'm not sure if this will work for everyone, but in IIS7 you can call Response.End() after you've set the status code and description. This way, that #&$^#@*! FormsAuthenticationModule won't do a redirect.

public void ProcessRequest(HttpContext context) {
    Response.StatusCode = 401;
    Response.StatusDescription = "Authentication required";
    Response.End();
}

Answer 2

what you've found out is correct about the forms auth intercepting the 401 and doing a redirect but we also can do that to reverse that.

Basically what you need is an http module to intercept the 302 redirect to the login page and reverse it to a 401.

Steps on doing that is explained in here

The given link is about a WCF service but it is the same in all the forms auth scenarios.

As explained in the above link you need to clear the http headers as well but remember to put the cookie header back to the response if the original response (i.e. before intercepting) contained any cookies.

Answer 3

Look inside your Web.config file in configuration\authentication. If there is a forms subelement there with a loginUrl attribute, remove it and try again.

Answer 4

I don't know how that Response.End() worked for you. I tried it with no joy, then looked at MSDN for Response.End(): 'stops execution of the page, and raises the EndRequest event'.

For what it's worth my hack was:

_response.StatusCode = 401;
_context.Items["401Override"] = true;
_response.End();

Then in Global.cs add an EndRequest handler (which will get called after Authentication HTTPModule):

protected void Application_EndRequest(object sender, EventArgs e)
{
    if (HttpContext.Current.Items["401Override"] != null)
    {
        HttpContext.Current.Response.Clear();
        HttpContext.Current.Response.StatusCode = 401;
    }
}

Answer 5

To build on zacharydl's answer slightly, I used this to solve my woes. On every request, at the beginning, if it's AJAX, immediately suppress the behavior.

protected void Application_BeginRequest()
{
    HttpRequestBase request = new HttpRequestWrapper(Context.Request);
    if (request.IsAjaxRequest())
    {
        Context.Response.SuppressFormsAuthenticationRedirect = true;
    }
}

Answer 6

You do not set the WWW-Authenticate header in the code you show, so the client cannot do HTTP authentication instead of forms authentication. If this is the case, you should use 403 instead of 401, which will not be intercepted by the FormsAuthenticaitonModule.