I need my users are redirected to AuthError.aspx page ("You don't have the access to this page") in the case when they are authenticated but try to access the page that they cannot access (because of the role for exam). If I set up web.config so:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
this is the system's wrong behaviour because an user is already authenticated and there is no need to redirect him or her to this page. But if I write here AuthError.aspx instead Login.aspx how could I redirect not-yet-authenticated user to the login page?
On the Page_Load of your login page, you'll want to check if the user is authenticated, and if they are to redirect them to your access denied page:
protected void Page_Load(object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated) // if the user is already logged in
{
Response.Redirect("~/AccessDenied.aspx");
}
}
If you want to get a little fancier, you can check the ReturnUrl parameter to determine if the user came to the page directly (such as through a bookmark they saved right to the login page) and handle that differently. Here's an example:
protected void Page_Load(object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated)
{
// if they came to the page directly, ReturnUrl will be null.
if (String.IsNullOrEmpty(Request["ReturnUrl"]))
{
/* in that case, instead of redirecting, I hide the login
controls and instead display a message saying that are
already logged in. */
}
else
{
Response.Redirect("~/AccessDenied.aspx");
}
}
}
For me the least hassle most benefit solution to this problem was to create another section (panel) in Login.aspx page with contents to be displayed to users who are authenticated (e.g. logged in) saying "Access denied" instead of the login form. When logged in user hits the page it means they most likely ended up here because they are not authenticated to access the page that redirected them here.
In the login page I use this very simple code to switch visibility of the panel and login form:
if (Request.IsAuthenticated)
{
LoginUser.Visible = false;
AccessDeniedPanel.Visible = true;
}
It's dead simple and it works.
You need to:
1) enable roles (in web.config): (replace 'xxx' with your own values)
<roleManager enabled="true">
<providers>
<clear />
<add connectionStringName="ApplicationServices" applicationName="xxx"
name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
<add applicationName="xxx" name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
2) you need to restrict access to certain areas of your website for specific roles. I actually answered another question today where I explain how to achieve this. Here is the link
You need to distinguish between authentication and authorization. Your code snippet addresses the former ("Am I known to this site") but not the latter ("Am I allowed to access this page").
As @santiagoIT suggests, roles may be the best solution to implement the authorization you need. Some controls, such as the LoginView are role-aware and authentication-aware, so you can use these to display different content depending on the role that the user is in.
A common approach is to display different menus to users in the different roles, so that they are only presented with menus which are relevant to their roles - the LoginView is often used for this.
Alternatively you could control the visibility of the content on individual pages, again using the LoginView, so that users who are not authenticate get one messages, those who are authenticated but not allowed to view the page a second message and those who are both authenticated and allowed to view the page see the content.
If you simply want to redirect a user who is authenticated but does not have the required access to view a page, you could also check that the user is the the appropriate role (Roles.IsUserInRole) and redirect to the "You do not have access.." page if not.
If you are really security conscious, you may want to combine the restricted menu/view approach with authorization checking on each page.
try this :
suppose you need only admin users to access the specified page of yours then in the page_load you could write this :
if (User.Identity.IsAuthenticated)
{
if ( !User.IsInRole("Admin"))
{
Server.Transfer("~/AccessDeniedPage.aspx");
}
}
and in case you are using routes you could do :
if (User.Identity.IsAuthenticated)
{
if ( !User.IsInRole("Admin"))
{
Response.RedirectToRoute("AccessDeniedRoute");
}
}
You may set a custom error page like this:
<system.web>
<customErrors mode="On">
<error statusCode="403" redirect="AuthError.aspx" />
</customErrors>
</system.web>
来源:https://stackoverflow.com/questions/4834387/how-to-redirect-users-to-an-asp-net-page-when-not-authorized