ASP.NET MVC Authorize Attribute does a 302 redirect when the user is not authorized

Question

MSDN explicitly says it should do 401 redirect, but I\'m getting a 302 redirect on FF, and this is causing problems in AJAX requests as the returned status is 200 (from the red

Answer 1

The Authorize attribute does return a Http 401 Unauthorized response. Unfortunately, however if you have FormsAuthentication enabled, the 401 is intercepted by the FormsAuthenticationModule which then performs a redirect to the login page - which then returns a Http 200 (and the login page) back to your ajax request.

The best alternative is to write your own authorization attribute, and then if you get an unauthenticated request that is also an Ajax request, return a different Http status code - say 403 - which is not caught by the formsAuthenticationModule and you can catch in your Ajax method.