How to solve Redirect Loop

I have a web application, and some users who use Chrome as their preferred browser of choice, get the following error when they have logged out of the application, and try to log back in.

“This webpage has a redirect loop”.

My web application uses forms authentication, and the FormAuthenticationModule redirects the user back to the Login page of my application, so I cannot use this approach:

<customErrors mode="On" defaultRedirect="~/MyErrorPage.aspx" >

    <error statusCode="401" redirect="~/NoAccess.aspx"/>

</customErrors>

Instead, I have added the following to the Page_Load event of my LoginPage.

if (Request.IsAuthenticated && !string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
{
    Response.Redirect("~/NoAccess.aspx");
}

However, since I have added this approach, the users seem to get the “Redirect Loop” error.

After clearing the cookies, all seems well, but the problem does occur again.

Is there a permanent fix for this I can add to my code, or is there anything else I can do to prevent this issue from happening?

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Try adding this to your web.config file:

  <location path="NoAccess.aspx">
    <system.web>
      <authorization>
        <allow users="?"/>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

This will turn off any authorization for this page and should stop Your loop.

You can also add this:

  <location path="Login.aspx">
    <system.web>
      <authorization>
        <deny users="?"/>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

This will deny access to your login page to all users that are already authenticated.
Combining those two should allow You to add custom errors for all redirections.

You may also consider creating a directory for unauthorized access (eg. public/) and placing inside all error pages (that do not require being authorized).
Then You can do:

  <location path="public">
    <system.web>
      <authorization>
        <allow users="?"/>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

You can read more about location here.
And more about authorization here.

Method 2

Had a very similar problem and solved it in IIS: In Authentication feature enable Anonymous Authentication and disable everything else. This makes sense, as eventually this is the application that manages authentication logic and not the IIS or ASP.NET. But obviously this solution doesn’t support the elegant access to public pages as @Grzegorz suggested.

Method 3

I also had a redirect loop which resulted in the error message The request filtering module is configured to deny a request where the query string is too long. for a Visual Studio 2013 Web Site where Authentication was set to Individual User Accounts.

The requested URL was a long version of http://localhost:52266/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl.... so it was obviously continually redirecting to the login page and appending the return URL each time.

No amount of of breakpoints in an attempt to find the offending loop seemed to make a difference, as none were triggered.

In the end I did the following:

• Find the project properties. Do this by selecting the project (not solution) and see the Properties window (don’t right-click then choose Properties, otherwise you won’t find it).
• Set Anonymous Authentication to Enabled.
• Set Windows Authentication to Disabled.

When starting the project the default page should now appear and breakpoints you have added should start working.

Method 4

It’s an old post and I faced this issue while custom authentication and validation.
the issue got resolved by adding this line of code in web.config

<system.web>
<authentication mode="Forms">
  <forms name=".ASPXFORMSAUTH" path="/" timeout="240" cookieless="UseCookies"></forms>
</authentication>
<authorization>
  <allow users="*"/>
</authorization>
    <compilation debug="true" targetFramework="4.6" />
    <httpRuntime targetFramework="4.6" />
    <httpModules>
      <add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" />
    </httpModules>
  </system.web>

Hope it helps.

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0