You should assign the Result
property on the filterContext
if you want to short-circuit the execution of the controller action. Just like that:
public class SecurityAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (filterContext.HttpContext.Session["User"] == null)
{
var values = new
{
controller = "Login",
action = "DoLogin",
returnUrl = filterContext.HttpContext.Request.Url.AbsoluteUri
};
var result = new RedirectToRouteResult("Default", new RouteValueDictionary(values));
filterContext.Result = result;
}
}
}
Also it would have been semantically more correct to write an authorization filter for that purpose and rely on the built-in Forms Authentication rather than reinventing wheels with Session and stuff.
So simply:
[Authorize]
public class HomeController : Controller
{
public ActionResult Index()
{
string username = User.Identity.Name;
SomeUserModel user = GetUserFromBackend(username);
return View(user);
}
}
You can read more about Forms Authentication at MSDN: http://msdn.microsoft.com/en-us/library/ff647070.aspx