ASP.NET MVC Authorize Attribute does a 302 redirect when the user is not authorized

Question

MSDN explicitly says it should do 401 redirect, but I'm getting a 302 redirect on FF, and this is causing problems in AJAX requests as the returned status is 200 (from the redirected page).

http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx

I've found someone else with the same problem: http://blog.nvise.com/?p=26

Any other solution, besides his?

Answer 1

I implemented my own custom authorize attribute which inherited from AuthorizeAttribute and ran into the same problem.

Then I found out that since .Net 4.5 there is a solution to this - you can suppress the redirect in the following way:

context.HttpContext.Response.SuppressFormsAuthenticationRedirect = true;

Then the response will be a 401 - Unauthorized, along with the HTTP Basic authentication challenge.

More info here

Answer 2

If you are using a ASP.NET MVC 5 Web Application go to App_Start -> Startup.Auth.cs. Check if app.UseCookieAuthentication is enabled and see if CookieAuthenticationOptions is set to LoginPath = new PathString("/Login"), or similar. If you remove this parameter 401 will stop redirecting.

Description for LoginPath:

The LoginPath property informs the middleware that it should change an outgoing 401 Unauthorized status code into a 302 redirection onto the given login path. The current url which generated the 401 is added to the LoginPath as a query string parameter named by the ReturnUrlParameter. Once a request to the LoginPath grants a new SignIn identity, the ReturnUrlParameter value is used to redirect the browser back to the url which caused the original unauthorized status code. If the LoginPath is null or empty, the middleware will not look for 401 Unauthorized status codes, and it will not redirect automatically when a login occurs.