Reputation: 170489
How is this module for suppressing Forms Authentication supposed to work?
Here's a post about a module for suppressing Forms Authentication for certain requests. The idea is that the module is registered in web.config and so for each request it's Init() is invoked:
public void Init(HttpApplication context) {
context.PostReleaseRequestState += OnPostReleaseRequestState;
context.EndRequest += OnEndRequest;
}
then once the request is nearing the end of the IIS pipeline, EndRequest event fires and so this code is invoked:
private void OnEndRequest(object source, EventArgs args) {
var context = (HttpApplication)source;
var response = context.Response;
if (context.Context.Items.Contains(SuppressAuthenticationKey)) {
response.TrySkipIisCustomErrors = true;
response.ClearContent();
response.StatusCode = 401;
response.RedirectLocation = null;
}
}
other pieces of the code are invoked earlier and guarantee that SuppressAuthenticationKey is set in context.Context.Items.
Now I've got IIS sources (they are available for research) and there's the implementation of FormsAuthenticationModule and it subscribes to EndRequest and the handler for that request dutifully redirects all requests that ended with HTTP 401 code.
Not only I see the code but also I see it working this way. No amount of .RedirectLocation = null has any effect on this.
How is that code supposed to suppress Forms Authentication redirect if the redirect is made insuppressible in IIS?
Upvotes: 1
Views: 435
Answers (1)
Reputation: 170489
Turns out, this is how this thing is supposed to work.
EndRequest first fires for FormsAuthenticationModule and its event handers sets up a redirect, but the redirect is not performed immediately, the actual effect is that it just sets aside the HTTP 302 and the redirect URL in the response, the request handling continues. Then EndRequest fires for the suppression module and the suppression module clears the previously set up redirect as if that never was set up.
So the request handling continues as if there was no redirect in the first place.
Upvotes: 1
Related Questions
- ASP.net Forms Authentication - Protection not working for me
- How to disable forms authentication
- How is this code in FormsAuthenticationModule supposed to work?
- Why is <deny users="?" /> included in the following example?
- Forms authentication not working as expected
- ignore authentication for a single page
- How does ASP.NET's Authentication module work?
- disable forms authentication using Microsoft.Web.Administration
- Question about forms authentication in asp.net
- Does FormsAuthenticationModule detect whether …?