HttpStatusCodeResult (401) returns "200 OK"

The MVC 5+ pipe modifies 401 response codes.

Option 1 with .net 4.5

you can set HttpContext.Response.SuppressFormsAuthenticationRedirect to true.

eg. in your custom AuthoriseAttribute.cs

  protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { if (filterContext.HttpContext.Request.IsAjaxRequest()) { filterContext.Result = new JsonResult { Data = "_Logon_", JsonRequestBehavior = JsonRequestBehavior.AllowGet }; filterContext.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized; filterContext.HttpContext.Response.SuppressFormsAuthenticationRedirect = true; } 

Option 2. If you are not using .net 4.5

  public class SuppressFormsAuthenticationRedirectModule : IHttpModule { private static readonly object SuppressAuthenticationKey = new object(); public static void Register() { DynamicModuleUtility.RegisterModule( typeof(SuppressFormsAuthenticationRedirectModule)); } public static void SuppressAuthenticationRedirect(HttpContext context) { context.Items[SuppressAuthenticationKey] = true; } public static void SuppressAuthenticationRedirect(HttpContextBase context) { context.Items[SuppressAuthenticationKey] = true; } public void Init(HttpApplication context) { context.PostReleaseRequestState += OnPostReleaseRequestState; context.EndRequest += OnEndRequest; } public void Dispose() { } private void OnPostReleaseRequestState(object source, EventArgs args) { var context = (HttpApplication)source; var response = context.Response; var request = context.Request; if (response.StatusCode == 401 && request.Headers["X-Requested-With"] == "XMLHttpRequest") { SuppressAuthenticationRedirect(context.Context); } } private void OnEndRequest(object source, EventArgs args) { var context = (HttpApplication)source; var response = context.Response; if (context.Context.Items.Contains(SuppressAuthenticationKey)) { response.TrySkipIisCustomErrors = true; response.ClearContent(); response.StatusCode = 401; response.RedirectLocation = null; } } } 

and in web.config

  <modules> <add name="SuppressFormsAuthenticationRedirectModule" type="SuppressFormsAuthenticationRedirectModule"/> </modules> 

See here for more details.

For Identity middleware, redirection can be disabled by removing the LoginPath parameter in Startup.Auth.cs:

  public void ConfigureAuth(IAppBuilder app) { app.UseCookieAuthentication(new CookieAuthenticationOptions { ... LoginPath = new PathString("/Account/Login"), // Remove this line });