Form Hijacking Prevention

The SuppressFormsAuthenticationRedirectModule module prevents the asp.net built in FormsAuthenticationModule from hijacking 401 requests and redirecting to a login page. Normally, this is the desired behavior if you are using a web browser and access an unauthorized page, but in the case of an API, we do not want that.

This module uses a hack to get this done. It temporarily replaces the 401 error with a 402 to trick the FormsAuthenticationModule and then puts the 401 back before the request is finished. It only does this on the path for your API, the rest of the website will behave as normal. Note, that there is a non-hack way to do this now, built into .net 4.5 and I have commented the code as to what that is. When appropriate a .net 4.5 package could be released containing this updated code.

To use this, first register the httpmodule:

<system.web>
    <modules>
      <add name="FormsAuthenticationDisposition" type="ServiceStack.ServiceInterface.SuppressFormsAuthenticationRedirectModule, ServiceStack.ServiceInterface" />
    </modules>
</system.web>

<!-- Required for IIS 7.0 (and above?) -->
<system.webServer>
  <validation validateIntegratedModeConfiguration="false" />
    <modules>
      <add name="FormsAuthenticationDisposition" type="ServiceStack.ServiceInterface.SuppressFormsAuthenticationRedirectModule, ServiceStack.ServiceInterface" />
    </modules>
</system.webServer>

next, configure the module with where your API lives - defaults to /api, so in your AppHost Configure:

public override void Configure(Funq.Container container)
{
    var appSettings = new AppSettings();
    var appConfig = new AppConfig(appSettings);
    container.Register(appConfig);  

    var config = new EndpointHostConfig
    {
        ServiceStackHandlerFactoryPath = "/yourapipath",
    };

    SetConfig(config);

    //this is the configuration for Hijacking prevention
    SuppressFormsAuthenticationRedirectModule.PathToSupress = config.ServiceStackHandlerFactoryPath;
}