Response.Redirect in Application_AcquireRequestState has resulted in too many redirects

Response.Redirect in Application_AcquireRequestState has resulted in too many redirects

Using role-base security the most ideal place to check if a user is still login is the Global.asax event: Application_AcquireRequestState.

And the most usual solution is:

if(Session["xxx"] != null) {
 Respose.Redirect("xxx");
}

That will work on debug mode but not if deployed on web server. It produce different errors on different browsers, on chrome it has the most obvious error:

"The webpage at http://localhost/newctdnet/Error.aspx has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer."

The solution is to check first for new session:

 if(Session.IsNewSession)
{
 var pageName = HttpContext.Current.Request.Url.PathAndQuery.ToLower();
 //special allowed page
    var allowedPage = new[] { "/page1.aspx", "/page2.aspx" };
    var listAllowedPage = new ArrayList(allowedPage);

 if (!listAllowedPage.Contains(pageName))
 {
  if (!User.Identity.IsAuthenticated)
  {
   FormsAuthentication.RedirectToLoginPage();
  }
 }
}