Thread: Throw HTTP Status Code error

I don't suppose it could be because I'm running it from Visual Studio, could it? That doesn't use IIS, does it?

Does running it from Visual Studio allow for status codes?

Originally Posted by jmurrayhead

What do you see?

I just see the page as normal with the message from my event handler at the top of the page:

Code:

403PermissionModule Node: Beginning of Request

Originally Posted by richyrich

I don't suppose it could be because I'm running it from Visual Studio, could it? That doesn't use IIS, does it?

Does running it from Visual Studio allow for status codes?

I don't recall...I could have sworn that VS still gives me a default 403 authorization page.

Originally Posted by richyrich

I just see the page as normal with the message from my event handler at the top of the page:

Code:

403PermissionModule Node: Beginning of Request

Have you tried setting up a custom error page for 403 errors?

Originally Posted by JmurrayHead

Have you tried setting up a custom error page for 403 errors?

No, I haven't yet. Will give it a go and see what happens.

Nope...Doesn't work...

Code:

    <customErrors mode="On" defaultRedirect="default.aspx">
      <error statusCode="403" redirect="NoAccess.htm" />
      <error statusCode="404" redirect="FileNotFound.htm" />
    </customErrors>

It doesn't redirect to NoAccess.htm.

If I cause a 404 it redirects fine...Argh...This is very annoying...Why can't you do this?

FormsAuthentication fires a 302 response if you try and access a page when not logged in, even on pages that do not exist (I just tried in Fiddler), so FormsAuthentication can fire back a status code before the custom error handler in web.config. So, why can't I fire a 403 response on pages when the user doesn't have permission to view a page?

Just doesn't make sense..

Try simply checking the status code and then use Response.Redirect to NoAccess.htm.

Kind of misses the point then though J. I could already get it to redirect if the permissions failed anyway..I just thought it might be an idea to get it to go by status code.

I guess MS decided that wouldn't be a good idea and made it impossible to do...

The basic problem:-
To check if the user is authenticated you have to wait until Application AuthorizeRequest event.
If you change the status code during this event, it doesn't affect the page request sent back to the user.

ergo...It's impossible to achieve this..

I did find this article. See the second comment.

Could this be the issue I'm having a problem with? Is it something to do with the page request and web server setting the status code.

At which point is the status code set?

Gonna try playing around with the status codes in the different events and see what happens.

Take a look, here, R: Asp.Net: Authentication based on HTTP Basic protocol. HttpModule.

I'm going to give up on this idea, I think.

It is returning a status code of 403 but then it's not redirecting based on the custom errors in web.config.

I set application.Response.StatusCode=403 in the AuthenticateRequest event and when I check HttpContext.Current.Response.StatusCode it equals 403 but it still just shows the page as normal.