asp.net login control with role redirection

Question

Hi,

I am using a asp.net login control with one of my asp.net application to authenticate users. I also have roles defined as well.

Some of the directories are setup so only users with ROLE "MANAGER" are able to access pages under those directories. If the user does not have "MANAGER" role, he will simply be redirect back to the login page.

so my question is that for the out of box login control, is there a way to show the proper login fail error message? for user trying to login but does not have a proper ROLE assigned to them, instead of a generic error message saying "login failed"

thanks.

Answer 1

What you are experiencing is a long standing bug in asp.net authentication.

ASP.Net treats all failures as authorization failures and endlessly redirects to login when it should recognize UNDER-authorization and allow redirection to 403.

There are many kludges and hacks, some of which I have used and/or developed in the past.

I finally got fed up and fixed ASP.Net.

http://www.codeproject.com/Articles/39062/Salient-Web-Security-AccessControlModule.aspx

Note: the verbage of the article is ajax slanted, as this, ultimately, was the motivation, but don't be put off by all of the talk of headers. It can be used in default state with standard asp.net authentication/membership/roles.