If current user does not have permission to a particular page, how it should be handled?

Question

I want to handle the scenario in my application that if a user does not have permissions to view a particular aspx page, then an error message should pop up.
How should I handle that?
Should I redirect user to a specific error aspx page and display error there?
Navigate back to the original page (previous page)?
Whats the best way to deal with this?

Answer 1

Redirecting is IMO a bad idea, it just confuses the user. Transfer the request on the server (e.g. Server.Transfer or similar; in MVC, you might have a separate view for permission errors etc.). This way, the user can easily go back to where he came from (instead of being redirected in a loop when he tries to go back), and if he logs in on the error page, you can just refresh to apply the new permissions.

On HTTP level, you're not supposed to redirect on permission issues. You either return status code 401, if the user is not logged in and allow him to log in (useful for windows authentication, for example), or 403 if he's logged in but doesn't have permissions, or if you want to use your own login form (and error message). If in doubt, use 403. If doubly in doubt, even 200 might be fine as well; some browsers might ignore your response completely when you issue a 403.

The same way, the user can still use bookmarks and send links to friends.

Answer 2

You should go to main page or home page of your application and should show error there, because if you navigate to custom error page it will be use less effort and if you navigate back to original page then user will think that application is not working properly