You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems that cookie authentication in ASP.NET Core redirects 403 errors to CookieAuthenticationOptions.AccessDeniedPath by default. If a web application does not define a page and bypass authentication for that page, then the AccessDeniedPath will also return a 403 and redirect to itself until the URL or the request grow too large at which point the user will get an error in their web browser.
This PR defines a path under /asi for a simple page that produces the text Access Denied, and makes this the default value for the AccessDeniedPath. If an application wants to define its own page, it can override the default value for the AccessDeniedPath and provide its own implementation via Razor Pages or whatever.
There's no way to supply an extra query parameter via the AccessDeniedPath property. Even if there was, redirecting to login when you're already logged in is a bit awkward. You should log out first, which ought to automatically redirect you to login, and doing that automatically on 403 Forbidden is a bit of a UX problem.
Also, I just discovered there's an issue with the logic in the ApplicationSecurityInterfaceMiddleware. Because it's using the cookie options to determine the AccessDeniedPath, there's no way for the application to override the page. I should have hardcoded the /asi/forbidden path instead.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
It seems that cookie authentication in ASP.NET Core redirects 403 errors to
CookieAuthenticationOptions.AccessDeniedPathby default. If a web application does not define a page and bypass authentication for that page, then theAccessDeniedPathwill also return a 403 and redirect to itself until the URL or the request grow too large at which point the user will get an error in their web browser.This PR defines a path under
/asifor a simple page that produces the textAccess Denied, and makes this the default value for theAccessDeniedPath. If an application wants to define its own page, it can override the default value for theAccessDeniedPathand provide its own implementation via Razor Pages or whatever.