authorize

I have some action methods behind an Authorize like: [AcceptVerbs(HttpVerbs.Post), Authorize] public ActionResult Create(int siteId, Comment comment) { The problem I have is that I'm sending a request through AJAX to Comment/Create with X-Requested-With=XMLHttpRequest which helps identify the request as AJAX. When the user is not logged in and hits the Authorize wall it gets redirected to /Account/LogOn?ReturnUrl=Comment%2fCreate which breaks the AJAX workflow. I need to be redirected to /Account/LogOn?X-Requested-With=XMLHttpRequest Any ideas how that can be achieved? Any ways to gain more

Suppose a high-speed developer was tasked with building a banking application which would be accessed by many different people. Each person would want to access his or her own account information but would not want others to access it. I would like to know the best practice for restricting access in an MVC application so that only the user who owns the information (or an administrator) could access it. The Authorize attribute allows us to restrict by role. While this is a starting point, it seems that any authenticated user could gain access to any other user's information. ActionFilters seem

I'm confused on ASP.NET MVC caching and authorization and in dire need of some clarification. My self-made authorization attribute inherits from AuthorizeAttribute . Its overridden AuthorizeCore method runs every time, even if I set an [OutputCache] attribute on a controller action. I understand that part. Now the mind bender for me: AuthorizeCore will fail every time now when I actually do output caching and the page is served from the cache. The reason is that when the request is cached, the httpContext.Session supplied with AuthorizeCore is null !? Here's some simplified code: protected

I have an MVC controller base class on which I applied the Authorize attribute since I want almost all of the controllers (and their actions along) to be authorized. However I need to have a controller and an action of another controller unauthorized. I wanted to be able to decorate them with the [Authorize(false)] or something but this is not available. Any ideas? Edit: Since ASP.NET MVC 4 the best approach is simply to use the built-in AllowAnonymous attribute. The answer below refers to earlier versions of ASP.NET MVC You could create a custom authorisation attribute inheriting from the