Is there a way to make AuthorizeAttribute respond with status code 403 Forbidden rather than a redirect?

Question

If the user is not logged in and they request an action marked [Authorize], then the response is a redirect to the Account/LogOn action (status code 302 Found).

Is there a way to make the response be status code 403 Forbidden instead?

Answer 1

Create an action filter that inherits from AuthorizeAttribute. Then override this method:

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{ 
   Response.StatusCode = 403;
   Response.Status = "Forbidden";
   Response.StatusDescription = "Forbidden";
   Response.End();
   Response.Close();

}

Answer 2

If the user is not logged in then the more appropriate status code is 401:Unauthorized. This is what the AuthorizeAttribute returns by default.

FormsAuthenticationModule will catch this return code and convert it into the redirect. If you can disable (or not even load it) then this will be returned to the caller.