I’ve attached the relevant portion of my web.config file below.
When a user attempts to directly visit the url admin.aspx, and they are not an admin, they are redirected to the login page. However, the user then attempts to visit ViewWeek.aspx, it indicates that they are still logged in.
Why does this ASP.NET authorization boot the user to the login screen, yet keep the user logged in? I’d rather it just direct the user to the default URL specified in the forms tag.
Thanks
Here’s my Forms Authentication:
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" defaultUrl="ViewWeek.aspx" timeout="50000000" />
</authentication>
And here’s my authorization
Forms authentication redirects an authenticated user to the login screen if they have insufficient authority to access certain pages of a web application to give them an opportunity to log in with another user account that they may have that is authorised to access the pages.
The usual way I have got around this is to have logic in the login page to detect if the user is already logged in and was redirected to the login page. If they are in this state, redirect them to an access denied page.