I have a ColdFusion website that programmatically handles "forbidden"/"unauthorized" requests in onrequeststart() in Application.cfc based on the logged in user's attributes. For example (FYI: SESSION.User is initialized in onSessionStart():
<cffunction name="onRequestStart" returnType="Boolean" output="false">
<cfargument name="targetPage" type="string" required="true">
<cfparam name="REQUEST.MinSecurityLevel" default="0" />
<cfparam name="REQUEST.IsLoginRequired" default="false" />
<cfif REQUEST.IsLoginRequired AND NOT SESSION.User.isLoggedIn()>
<cfscript>
SESSION.LoginMessage =
"Your session has timed out. Please log in again.";
SESSION.LastPageVisited =
getPageContext().getRequest().getRequestURI();
if (Len(Trim(getPageContext().getRequest().getQueryString())))
SESSION.LastPageVisited =
SESSION.LastPageVisited
& "?"
& getPageContext().getRequest().getQueryString();
</cfscript>
<cflocation url="/user/login/" addtoken="false" />
<cfelseif SESSION.User.getSecurityLevel() LT REQUEST.MinSecurityLevel>
<cfheader statuscode="403" statustext="Forbidden" />
</cfif>
<cfreturn true />
</cffunction>
In IIS (version 7), I have an error page setting with Type "Execute URL" and my custom 403 page path.
I am able to trigger this, and it properly displays my custom 403 page, but it returns a HTTP Response Code 200.
Shouldn't this return a 403?
It seems as though I found a solution in my response to @Miguel-F above. I simply mimicked part of what I'm doing to handle 404 errors:
/missing-template/index.cfm:
/not-authorized/index.cfm:
I thought that adding a 403 header to the 403 handler page would result in an endless loop, but it works fine.
I also added in onRequestStart() since there's no need for further processing once the 403 is triggered: