Re: Can I force 401 error when user not authenticated?

From: Ken Schaefer (
Date: 04/24/04

Date: Sat, 24 Apr 2004 23:31:31 +1000


What type of authentication are you talking about? If you are talking about
HTTP Authentication, you can't (as a general rule [1]) do this with a form.
Why? Because you need to authenticate *before* the form can be loaded
(before ASP.NET even kicks in). This happens directly between the webserver
and webbrowser.

If you are talking about forms auth, then you specify your own login page.
Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
concerned, all user access is "anonymous". It is ASP.NET that keeps track of
users, and who's authenticated etc.


[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP auth
via a form. Whether this also works with ASP.NET I don't know, and it's not
an officially supported product. The source code for this tool is in the
Windows 2003 Platform SDK.

"Bigtoga" <> wrote in message
: Excellent info - thanks very much.
: So, if I have a page/section that requies authentication and a user who is
: not authenticated tries to visit, can I redirect to a different page than
: the loginUrl specified inweb.config?
: Essentially, I'm using
: <?xml version="1.0" encoding="utf-8" ?>
: <configuration>
: <system.web>
: <authorization>
: <allow roles="SuperPeople"/>
: <deny users="*" />
: </authorization>
: </system.web>
: </configuration>
: in my web.config file for each "secure" drectory. If the user is already
: logged in but doesn't belong to the SuperPeople role, it sends them to the
: login page (but they've already logged in).
: Any ideas would be helpful
: "Ken Schaefer" <> wrote in message
: news:eXlMpJcKEHA.2396@TK2MSFTNGP12.phx.gbl...
: > Hi
: >
: > When using forms authentication, you are never sending back a 403
: > You are just redirecting the user to another ASP.NET page. A 403 header
: > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
: etc).
: >
: > Forms auth never involves these HTTP status codes - all pages are 200
: It
: > is at the application layer (of your ASP.NET app) that you enforce
: > authentication, not at the lower HTTP level.
: >
: > Cheers
: > Ken