There must be something Im missing in my understanding of how .NET’s authentication/authorization and login redirection system works. I have a page admin/default.aspx that is restricted to admin users, so I have for example :
<configuration>
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
When the user gets here, if he is not an admin, he gets redirected to the login page as specified in the web.config :
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name="someName" timeout="60" path="/">
</forms>
</authentication>
with a return url (which looks like ReturnUrl=%2fAdmin%2fDefault.aspx). Now, if the user logs in again with credentials that do not match the “admin” role specification, he gets redirected to the admin/default page and then back to the login page again.
I guess its all working fine, but it would seem that I could redirect to the login page if a user is not logged in, but redirect him to another (home or default) page if he’s logged in but doesn’t fit the role requirements.
How might I go about doing this?
Thanks in advance,
Rusty
You can do this a couple of ways:
Write a custom authentication provider derived from the forms provider.
Write a HttpModule, I’m not sure which event would be best to trap, as before authentication you dont have a role, after authentication the forms authentication module will already be redirecting you to the login page. so identifying the redirect response in the later events may be the way to go. (this may have the ancillary effect that all redirections to the logon page for an authenticated user would go to the logged on users ‘home’ page)