ASP.NET Login Redirect Loop when user not in role

Question

I'm in a bit of a bind with implementing Roles in ASP.NET MVC 5. I am attempting to log in as a user that does not have a role required to access the area of the application I'm trying to reach. What I would expect in this scenario is, I'm redirected to the login page again, and will be until I enter a set of credentials that do have access or I navigate to another area of the application.

What is actually happening is that the application appears to go into a login redirect loop, debugging through reveals that the Login action is being called multiple times.

Here is the login action:

[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
    ViewBag.ReturnUrl = returnUrl;
    return View();
}

This results in an error generated by IIS:

HTTP Error 404.15 - Not Found
The request filtering module is configured to deny a request where the query string is too long.

The query string looks like this:

http://localhost/MyApplication/Account/Login?ReturnUrl=%2FMyApplication%2FAccount%2FLogin%3FReturnUrl%3D%252FMyApplication%252FAccount%252FLogin%253FReturnUrl%253D%25252FMyApplication%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FMyApplication%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FMyApplication%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FMyApplication%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FMyApplication%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FMyApplication%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FMyApplication%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FMyApplication%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FMyApplication%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FMyApplication%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FMyApplication%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FMyApplication%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FMyApplication%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FMyApplication%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FMyApplication%252525252525252525252525252525252F

The only change I've made going from a working solution (albeit without role based authorization) to my current broken situation is adding the following above the controller that I'm redirected to on a successful login:

[Authorize(Roles = "Staff")]

As I said previously, the user I'm logging in as is not in this role, but I would expect a sane, single redirect to Login, without the looping.

Edit: requested bu @dima, the details of authorization applied through filters... I have the following:

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new AuthorizeAttribute());
    }
}

However, I have tested the application with and without this line in place and the redirect loop continues unabated.

Answer 1

While this question is old, I had the same problem and found a solution.

Originally, I had added the same AuthorizationAttribute filter, and found myself in the same loop. I then took it away and began adding the authorize attribute to individual controllers, and found that the infinite loop only happened when adding the authorize attribute to my home controller. It turns out my HomeController was getting called after my AccountController.

The Problem

---

In my _Layout.cshtml, I was calling the following:

@Html.Action("LeftNav", "Home")

The layout page would correctly render the body, but when it got to this, it was hitting a controller method that had an authorization attribute. This caused the redirect to the Account/Login.

Adding the AllowAnonymous attribute to the LeftNav action resolved the issue.

The Solution

---

Make sure your Login view and layouts do not call any actions that have an authorize attribute.

Since discovering this, I've created a custom layout for my unauthorized requests to avoid any more potential issues like this.