Is it possible to change query string arguments on AccessDeniedPath?

Question

In an ASP.NET Core 3.1 web app, I can change the target route for unauthorised requests in my Startup.cs like so:

services.ConfigureApplicationCookie(o =>
{
    o.AccessDeniedPath = "/Home/Error";
});

That will return /Home/Error?ReturnUrl=... where ... is whatever page I was trying to access.

But I actually just want it to return simply "/Home/Error?code=401"

I tried e.g.

o.AccessDeniedPath = "/Home/Error?code=401"

but that brings back simply

"/Home/Error?code=401?ReturnUrl=%2FAdmin"

I then realised there's a ReturnUrlParameter in the options, like this:

o.ReturnUrlParameter = "code";
o.AccessDeniedPath = "/Home/Error";

which gets me this far in the redirect:

/Home/Error?code=%2FAdmin

But I want to specify the keyvalue value (e.g. 401), i.e. replace the page the request came from, so the final result would be

/Home/Error?code=401

You may have an issue with the Roles on the Server : https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/roles/creating-and-managing-roles-cs — jdweng, Dec 07 '20 at 14:48
@jdweng that has nothing to do with what I want to achieve. My authorisations are working fine, I just want to change the page it redirects to when a user is unauthorised. That link is also for ASP.NET 3.5 whereas I'm using ASP.NET Core 3.1 — jamheadart, Dec 07 '20 at 14:52
That seems to be a default behavior and it is there for a reason. Perhaps, just ignore it if you don't use it on server. If you still wish to remove it, may try something like [this answer](https://stackoverflow.com/a/35364588) or [this](https://stackoverflow.com/a/49657353). May be this cannot be achieved without custom auth implementation. [See discussion here](https://github.com/aspnet/Security/issues/1682) — Pirate, Dec 07 '20 at 15:10
I actually have a custom auth routine running, but I've just realised I can basically check to see if `ReturnUrl` is not empty on my `Home/Error` request and do what I need there, so now longer necessary to change it. — jamheadart, Dec 07 '20 at 15:13

score 1 · Accepted Answer · answered Dec 08 '20 at 07:49

According to your code, it seems that you are using cookie Authentication, I suggest yo could try to change the redirect URL using the CookieAuthenticationEvents.OnRedirectToAccessDenied Property, check the following sample code:

        services.AddAuthentication("CookieAuthentication")
            .AddCookie("CookieAuthentication", config =>
            {
                config.Cookie.Name = "UserLoginCookie"; // Name of cookie     
                config.LoginPath = "/Login/UserLogin"; // Path for the redirect to user login page    
                config.AccessDeniedPath = "/Login/UserAccessDenied";
                config.Events = new Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationEvents()
                {
                    OnRedirectToAccessDenied = ctx =>
                    {
                        var redirectPath = ctx.RedirectUri;
                        if (redirectPath.Contains("?ReturnUrl"))
                        {
                            //remove the ReturnURL
                            var url = redirectPath.Substring(0, redirectPath.LastIndexOf("?ReturnUrl"));

                            ctx.Response.Redirect(url + "?code=401");
                        }
                        // Or, directly using the following code:
                        //ctx.Response.Redirect("/Login/UserAccessDenied?code=401");
                        return Task.CompletedTask;
                    }
                };
            });

The output like this:

I'm using Windows Authentication according to my appsettings (which I guess uses cookies?), I don't add any other Auth in my startup, I'm just using a custom [Authorize] attribute on my controllers, but this will work because I'm still using the `services.ConfigureApplicationCookie` line — jamheadart, Dec 08 '20 at 09:35

Is it possible to change query string arguments on AccessDeniedPath?

1 Answers1