ASP.NET override the default returnto parameter within the redirect when a user is not authenticated

Question

We are using forms authentication with roles to restrict access to certain pages and areas of a website. When a user is not authorised, either because they are not logged in or do not have the required role, they are redirected to the login page with a returnto url.

We define what access is required in the web.config using the authorization tags like:

<authorization>
    <deny users="?"/>
</authorization>

The web application we are working on uses HttpContext.Current.RewritePath for friendlier URLs and dynamic pages. So that a request for "/MyPages/MyDocuments.aspx! gets re-written to "/PageTypes/Library.aspx" or something along those lines.

However when the application redirects because a user does not have permission the ReWritePath is used instead of the Raw URL.

What do I need to override so that the returnto URL is the requested URL instead of the actual psychical path?

Answer 1

Depending on what version of IIS (6 or 7) you are running, the answer may be different, however I suspect the problem is that the ASP.NET request pipeline is first authenticating the user using forms authentication, and then later running the RewritePath code / module, thus overwriting the normal returnto response.

They key may be to plug the rewrite module into the pipeline earlier than the authentication / authorization modules. If you are using raw code rather than an HTTP Module to do this in your base class, global.asax etc, first check to see if the user is valid / or authorized before executing the code.

ASP.NET Pipeline and Thoughts on Rewriting Vs Routing

Answer 2

What I ended up doing was moving my code into Application_AuthorizeRequest which meant that the user was authenticated before the page was requested which kept the original URL intact.