How to fix LoginPath not working in ASP.NET Core

The LoginPath is used to define the URL to redirect users to when they are not authenticated and try to access a restricted resource. If this path is not configured correctly or if there’s an issue in setting up authentication, the LoginPath might not work as expected.

If your LoginPath is not working in ASP.NET Core, there could be a few reasons why it's not functioning as expected.

By default, if you don't configure it's automatically redirect to /Account/Login?RedirectUrl=%2F

Verify that you have correctly configured the LoginPath property in your authentication middleware setup.

Opening your Startup class, then add a configuration as shown below.

services.ConfigureApplicationCookie(options =>
            {
                options.LoginPath = new PathString("/Identity/Account/Login");
                options.ReturnUrlParameter = "RedirectUrl";
                options.LogoutPath = new PathString("/Identity/Account/Lockout");
                options.AccessDeniedPath = new PathString("/Identity/Account/AccessDenied");
                options.ExpireTimeSpan = TimeSpan.FromDays(1);
            });

Make sure that the LoginPath is set to the correct path where your login page is located.

If you've updated from beta 5 to beta 8, you can't set the custom login path in cookie authentication options.

services.AddCookieAuthentication(config =>
{
     config.LoginPath = new PathString("Auth/Login");
});

You will still gets redirected to the default '/Account/Login'.

To solve the problem, you can do this a bit differently.

services.Configure<IdentityOptions>(options=>
{
    options.Cookies.ApplicationCookie.LoginPath = new PathString("/Auth/Login");
});

Ensure that the route specified in the LoginPath matches the route configuration in your application. If your login page is located at /Account/Login, make sure that you have defined a corresponding route for it.

Instead of use services.AddAuthentication().AddCookie

services.AddAuthentication().AddCookie(options =>
            {
    options.LoginPath = "/Identity/Account/Login";
    options.ExpireTimeSpan = TimeSpan.FromDays(1);
});

If you don't use ASP.NET Core Identity.

First, verify that the authentication middleware is added and configured correctly.

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie(options =>
        {
            // Define LoginPath here
            options.LoginPath = new PathString("/Account/Login");
            options.AccessDeniedPath = new PathString("/Account/AccessDenied");  // Optional
        });

    services.AddAuthorization();
}

You need to make sure that the routes that require authentication are protected by an authorization policy.

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute(
            name: "default",
            pattern: "{controller=Home}/{action=Index}/{id?}")
            .RequireAuthorization(); // This ensures that the route is protected
    });
}

Ensure that the route for your login page is correctly mapped. If the LoginPath is set to /Account/Login, make sure you have a controller action like this:

public class AccountController : Controller
{
    public IActionResult Login()
    {
        return View();  // Return the Login view
    }
}

Make sure that the LoginPath is a valid route and correctly matches your route configuration. If you use a custom login page, the URL should match exactly.

If your login page URL is something like /Account/Login, then the LoginPath should be:

options.LoginPath = new PathString("/Account/Login");

If the LoginPath still doesn't work as expected, you can debug the issue by manually handling the redirection when authorization fails.

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.Events.OnRedirectToLogin = context =>
        {
            // Here you can log or debug to check what's happening
            if (context.Request.Path.StartsWithSegments("/api"))
            {
                // For APIs, send unauthorized status
                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
                return Task.CompletedTask;
            }

            // Otherwise, redirect to the login page
            context.Response.Redirect("/Account/Login");
            return Task.CompletedTask;
        };
    });

If your application uses HTTPS, make sure that cookie settings are configured correctly. Sometimes, issues arise if cookies are not set correctly for secure (HTTPS) connections:

options.Cookie.SecurePolicy = CookieSecurePolicy.Always;

By following the steps above, you should be able to resolve issues related to LoginPath in ASP.NET Core. Make sure your authentication middleware is set up correctly, the login route is properly mapped, and any custom redirect logic is handled properly.