I have created an ASP.NET Web Forms application by using a template of Visual Studio. By default it has the Account/Login.aspx page which uses the Login control to enable the ASP.NET forms-based authentication and the web.config file in which the loginUrl attribute of forms element is set to "~/Account/Login.aspx".
After successful logging-in a user will be redirected to the page specified by the ReturnUrl query string of Login.aspx page or by the defaultUrl attribute of forms element in the web.config. I understand that this is a standard operation.
If an absolute URL is set to the loginURL attribute (see example below), however, a user will be redirected to the Login.aspx page. This is my problem.
<authentication mode="Forms">
<forms loginUrl="http://localhost/Account/Login.aspx" timeout="2880"/>
</authentication>
I have checked the HTTP response by using the Fiddler2. After successful logging in an IIS returns a HTTP 302 with a response header of "Location: /Account/Login.aspx." This is the reason for the unexpected redirection.
I found several measures to avoid the problem such that (1) do not use the Login control, or (2) specify the Login.DestinationPageUrl property if the Login control is used, or (3) add a code manually to redirect at the Login.LoggedIn event. Before applying these measures, however, I need to know why the unexpected redirect occurs.
Can any one help me to understand why the ASP.NET ignores the RetrunUrl and/or defaultUrl and redirects the user to the Login.aspx when an absolute URL is set to the loginURL attribute?
I have used the followings for the testing:
- ASP.NET 3.5 and 4
- Vista 32-bit SP2, IIS7
- Visual Studio 2010 Professional
- SQL Server 2008 Express
- Login control is used
- Web Forms (MVC is OK as it does not use the Login control)
The reason why I want to set an absolute URL to the loginURL attribute is to use the SSL by setting it such like loginUrl="https://...
Thank you in advance.