ASP.NET Web Pages and FormAuthentication.LoginUrl configuration

Recently I had integrated ASP.NET Web Pages into existing ASP.NET Web Forms site. It was classic Web Forms project uses most of ASP.NET Web Forms features. And of course it uses the built-in FormAuthentication. See Web.config:

Any time you access 'secure' url, you get redirected to Login.aspx with ReturnUrl parameter. This worked fine for years.

 

There was a reason to integrate ASP.NET Web Pages into this working project. Integration itself was not painful.  First of all I upgraded the project to ASP.NET 4 and then added following setting to enable Web Pages.

My old aspx pages and new cshtml worked fine, but it broke user authentication flow in strange way. All unauthenticated requests was redirected to /Account/Login instead of Login.aspx.

 

I was shocked!!!. Where this /Account/Login came from?!?! Starting debugging I found that  FormAuthentication.LoginUrl  returns ~/Account/Login despite configuration in Web.config. Seems someone overrides web.config settings, but why?

 

The answer came from Reflector (this tool always helps). When I enabled ASP.NET Web Pages in the project, it forced WebMatrix.WebData.dll being loaded, which in its turn called FormsAuthentication.EnableFormsAuthentication overriding existing FormAuthentication settings.

 

Web Pages looks for loginUrl app setting and use a default ~/Account/Login if no such setting found. I added following setting and it solved my problem:

I think this is a bug in ASP.NET Web Pages. Configuring loginUrl with appSettings is not clear when you already have form authentication being configured in the same Web.config.

 

(original post)

Developer