The result of your AJAX call will still likely end up appearing successful (although, don't worry, it won't actually execute your action method), and invoke your success
handler. This is because you are expecting HTML, and that is what you are receiving (albeit, the resulting HTML is likely your login page, and not the HTML you wanted). As an aside, if you expected JSON (using dataType:'JSON'
), it would trigger an error, because it would be parsing HTML as JSON.
What you need to do is prevent FormsAuth from redirecting the login page for AJAX requests. Now, AuthorizeAttribute
faithfully returns a NotAuthorizedResult
, which sends an HTTP 401 Not Authorized response to the client, which is ideal for your AJAX client.
The problem is that FormsAuth module checks the StatusCode and if it is 401, it performs the redirect. I've combatted this issue in this way:
1) Create my own derivative type of AuthorizeAttribute
that places a flag inHttpContext.Items
to let me know authorization failed, and I should force a 401 rather than a redirect:
public class AjaxAuthorizeAttribute : AuthorizeAttribute
{
/// <summary>
/// Processes HTTP requests that fail authorization.
/// </summary>
/// <param name="filterContext">Encapsulates the information for using <see cref="T:System.Web.Mvc.AuthorizeAttribute"/>. The <paramref name="filterContext"/> object contains the controller, HTTP context, request context, action result, and route data.</param>
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAjaxRequest()) filterContext.HttpContext.Items["AjaxPermissionDenied"] = true;
base.HandleUnauthorizedRequest(filterContext);
}
}
2) Add to your Global.asax.cs:
protected void Application_EndRequest(Object sender, EventArgs e)
{
if (Context.Items["AjaxPermissionDenied"] is bool)
{
Context.Response.StatusCode = 401;
Context.Response.End();
}
}
3) Add a statusCode handler to your jQuery AJAX setup:
$.ajaxSetup({
statusCode: {
401: function() {
window.location.href = "path/to/login";
}
}
});
4) Change the controllers or actions where you want this behavior from using AuthorizeAttribute
to AjaxAuthorizeAttribute
:
[AjaxAuthorize]
public string SaveEmployee(string Location, string dateApplied, string Status, string mailCheck, ...)
{
objEmpMain.FirstName = firstName;
objEmpMain.LastName = lastName;
objEmpMain.Initial = Initial;
objEmpMain.Address1 = Address;
...
...
...
}