The login page of the ASP.NET application using Forms authentication is invoked by the engine in two different scenarios:
- when the user is not authenticated at all
- when user is authenticated but has insufficient priviledges
Now suppose that you do not make any difference between these scenarios in the login page code. The user logs in and then tries to access a resctricted area, guarded with the authorization policy. Though he/she is logged in, the engine redirects the call to the login page. The user provides his/her identity but the situation repeats. This lack of the informative description of the issue could very frustrating for the user. His credentials seem unaccepted while in fact the credentials are ok but the authorization policy refuses his credentials as valid.
Luckily there's a trivial solution - in the Page_Load of the login page you just check if the Context.User.Identity.IsAuthenticated flag is true. If this is the case then it means that the user is logged in but has been redirected because of the authorization policy. You can then hide the username/password input fields and instead provide a message "The user which is currently logged in has no sufficient priviledges to access the page".