ASP.NET MVC : Response.Redirect(url, TRUE) does not stop request processing

Question

I have a method decorated with two custom ActionFilterAttribute.

[RequiresAuthentication(Order = 1)]
[ToonAction(Order = 2)]
public ActionResult Browse(...

RequiresAuthentication attribute is coming from this article

Inside RequiresAuthentication, on it's OnActionExecuting I do:

 filterContext.HttpContext.Response.Redirect(loginUrl, true);

The line is get executed, and the arguments are all as expected. The problem is that after executing the line above, I get next attribute (ActionFilterAttribute) executed, as if redirect didn't work, it just continues executing the request, instead of simply redirecting browser.

Question: what else do I need to do to make the request handler

This is a complete method:

    public override void OnActionExecuting(ActionExecutingContext filterContext) {
        //redirect if not authenticated
        var identity = filterContext.HttpContext.User.Identity;
        if (!identity.IsAuthenticated) {
            //use the current url for the redirect
            string redirectOnSuccess = filterContext.HttpContext.Request.Url.PathAndQuery;

            //send them off to the login page
            string redirectUrl = string.Format("?ReturnUrl={0}", redirectOnSuccess);
            string loginUrl = FormsAuthentication.LoginUrl + redirectUrl;
            filterContext.HttpContext.Response.Redirect(loginUrl, true);
            // filterContext.Result = new HttpUnauthorizedResult();
            // filterContext.HttpContext.Response.StatusCode = 0x191;
        }
    }

tvanfosson · Accepted Answer · 2010-02-02T20:22:53.880

You want to set the Result on the filterContext to a RedirectResult, not do a redirect on the response.

 filterContext.Result = new RedirectResult { Url = loginUrl };

EDIT: As @Hunter Daley suggests a better mechanism would be to use the AuthorizeAttribute instead if it works for you. If you do have authentication/authorization scenarios that the AuthorizeAttribute doesn't work for, it would probably be better to derive your custom attribute from it instead of the more generic ActionFilterAttribute. In any event, the correct technique is to set the Result rather than interact with the Response directly. You might want to look at the actual AuthorizeAttribute source at http://www.codeplex.com/aspnet for ideas.

I've got a sample of custom authorization code on my blog, http://farm-fresh-code.blogspot.com, too.

This turned out to be the answer I needed -- I was doing a redirect on the Response, and for months I could not figure out why I was getting "Cannot set cookie" errors. — Matt Sherman, Aug 12 '10 at 03:02

score 2 · Answer 2 · answered Feb 02 '10 at 20:17

2

try adding the [Authorize] attribute to your Action methods instead

answered Feb 02 '10 at 20:17

hunter

62,308
19
113
113

yes, that would work, too, unless you have a more complicated authorization/authentication scenario. – tvanfosson Feb 02 '10 at 20:19

score 2 · Answer 3 · answered Feb 02 '10 at 20:28

2

Add

filterContext.HttpContext.Response.Clear();

at first and this at End :

filterContext.HttpContext.Response.End();

Hope this helps.

answered Feb 02 '10 at 20:28

ali62b

5,363
4
22
25

2

Didn't help: filterContext.HttpContext.Response.Redirect(loginUrl, true); already does it inside. – THX-1138 Feb 02 '10 at 20:48

score 0 · Answer 4 · answered Apr 22 '14 at 14:15

you can use return RedirectToAction("Index", "Home/Login", new {area = "", returnURL = Request.Url.AbsolutePath}); to stop the current processing, redirect to the desired (login) page and quit the action. the area route property is needed to get out of the current area if you are in any.

score 0 · Answer 5 · answered Aug 07 '18 at 08:09

0

Add this code before you redirect the page.

filterContext.ExceptionHandled = true;

answered Aug 07 '18 at 08:09

Chan

914
9
25

ASP.NET MVC : Response.Redirect(url, TRUE) does not stop request processing

5 Answers5

Linked