How does FormsAuthentication.RedirectFromLoginPage() work?

Question

It doesn't return a view. In fact, the Action still needs to return a view after calling this ... so what's going on?

Answer 1

If you want to use the FormsAuthentication system, you'll want to switch to this line (which implicitly uses the returnUrl parameter).

return Redirect(FormsAuthentication.GetRedirectUrl(model.UserName, true));

You will get the URL that FormsAuthentication.RedirectFromLoginPage would have used, but you will explicitly bail from the action method with a RedirectResult instead.

Note

If you go this route, you'll want to put a defaultUrl parameter in the forms auth web.config line in case someone goes directly to your login page (or they pass in a redirectUrl that doesn't pass FormsAuthentication's security restrictions). Without overriding the default, bad URLs will be redirected to ~/default.aspx. In most MVC apps, that will likely 404.

<forms loginUrl="~/Account/LogOn" defaultUrl="~/" timeout="2880">

Alternative

If you spin up a new MVC 3 sample "Internet Application", you will find a LogOn action method that handles a returnUrl similar to what FormsAuthentication.RedirectFromLoginPage does internally.

if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
    && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\")) {
    return Redirect(returnUrl);
}
else {
    return RedirectToAction("Index", "Home");
}

Answer 2

It's exactly what it says - a redirect. This is a response code sent to the browser to ask it to request another URL. That's the point at which a view is requested in MVC, or a web page in straight ASP.NET.