How to solve Redirect Loop

Question

I have a web application, and some users who use Chrome as their preferred browser of choice, get the following error when they have logged out of the application, and try t

Answer 1

Try adding this to your web.config file:

  <location path="NoAccess.aspx">
    <system.web>
      <authorization>
        <allow users="?"/>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

This will turn off any authorization for this page and should stop Your loop.

You can also add this:

  <location path="Login.aspx">
    <system.web>
      <authorization>
        <deny users="?"/>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

This will deny access to your login page to all users that are already authenticated. Combining those two should allow You to add custom errors for all redirections.

You may also consider creating a directory for unauthorized access (eg. public/) and placing inside all error pages (that do not require being authorized). Then You can do:

  <location path="public">
    <system.web>
      <authorization>
        <allow users="?"/>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

You can read more about location here. And more about authorization here.

Answer 2

I also had a redirect loop which resulted in the error message The request filtering module is configured to deny a request where the query string is too long. for a Visual Studio 2013 Web Site where Authentication was set to Individual User Accounts.

The requested URL was a long version of http://localhost:52266/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl.... so it was obviously continually redirecting to the login page and appending the return URL each time.

No amount of of breakpoints in an attempt to find the offending loop seemed to make a difference, as none were triggered.

In the end I did the following:

• Find the project properties. Do this by selecting the project (not solution) and see the Properties window (don't right-click then choose Properties, otherwise you won't find it).
• Set Anonymous Authentication to Enabled.
• Set Windows Authentication to Disabled.

When starting the project the default page should now appear and breakpoints you have added should start working.

Answer 3

It's an old post and I faced this issue while custom authentication and validation. the issue got resolved by adding this line of code in web.config

<system.web>
<authentication mode="Forms">
  <forms name=".ASPXFORMSAUTH" path="/" timeout="240" cookieless="UseCookies"></forms>
</authentication>
<authorization>
  <allow users="*"/>
</authorization>
    <compilation debug="true" targetFramework="4.6" />
    <httpRuntime targetFramework="4.6" />
    <httpModules>
      <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" />
    </httpModules>
  </system.web> 

Hope it helps.

Answer 4

Had a very similar problem and solved it in IIS: In Authentication feature enable Anonymous Authentication and disable everything else. This makes sense, as eventually this is the application that manages authentication logic and not the IIS or ASP.NET. But obviously this solution doesn't support the elegant access to public pages as @Grzegorz suggested.