In situation of login timeout, users often are presented with a blank page.
One way to reproduce:
1) Log in the default Orchard site, provided with the installation.
2) Normally, the presented web page should show some 'edit' buttons. Do nothing.
3) Continue doing nothing, until the login times-out. (Or alternatively, logout in an other window).
4) Press the 'edit' button.
5) You get a blank page.
The login page is displayed.
As an extra, after the login, user returns to where they were before the authorization failure.
I did a bit of debugging, and found out that when authorization fails (because of timeout or any other reasons), the ASP framework does a 302, redirecting to the loginurl, as defined in the Web.config.
<forms loginUrl="~/Users/Account/AccessDenied" timeout="2880"/>
So far so good. That works fine for most of the pages of my Orchard site.
However, if the requested url (that leads to an authorization failure) contains the ReturnUrl parameter, the ASP framework does not emit a 302, but keeps it as 401. That 401 ends up displayed as a white page in the web browser. As far as I observed, the framework
is only doing this with ReturnURL parameter. Other parameters do not affect on behavior, a 302 is emitted in all other cases.
For example, this url will return a blank page (if authorization fails):
and this url will generate a 302, users will be asked to login: http://localhost:30320/OrchardLocal/Admin/Widgets/EditWidget/11 One solution to this problem would be to rename all the ReturnUrl in Orchard code to something else, but that seems to require changing
each and every controllers, which I presume is not really an option
Another solution would be to catch the 401 in the endrequest of the global.asax. Seems to be a better option, but I do fear some side effects.