I'm using ASP.NET Core Razor Pages with Identity.
When a user navigates to some authorised route /secret
(which he cannot access), the 403 page is shown as expected, but the runtime appends ?ReturnUrl=%2Fsecret
to the URL.
I see not point to that querystring; it makes sense on a login page, not on a static 403 page.
How can I remove it?
I specified OnRedirectToAccessDenied during startup:
builder.Services.ConfigureApplicationCookie(x => {
x.AccessDeniedPath = new PathString("/Error"); // page used by StatusCodePage middleware
x.Event = new CookieAuthenticationEvents {
OnRedirectToAccessDenied = context => {
context.Response.StatusCode = 403;
return Task.CompletedTask;
}
};
});
It manually handles each 403 event, effectively stripping the querystring from the original URL.
I posted a bug issue on the repo; please upvote it so they fix it.