If a controller action is decorated with the [Authorize]
attribute (as is your Admin/Index
action) you cannot invoke this action if you do not have a valid forms authentication cookie in the request.
Also in your Login
action, upon successful authentication you should not return a view but you should redirect away, so that the cookie is properly set and available on subsequent requests.
Here's what should happen when a non-authenticated user attempts to access the protected Admin/Index
action. The [Authorize]
attribute will throw a 401 exception, which as you know from the classic WebForms will be intercepted by the Forms Authentication module and you will be redirected to the loginUrl
configured in your web.config passing a ReturnUrl query string parameter the initially requested protected resource.
So you must have a Login
action on the account controller that is not decorated with the [HttpPost]
attribute and which should serve the view containing the sign-in view. The request will look like this:
/Account/Login?ReturnUrl=%2Fadmin%2Findex