From dc6e916bd465628c3e6441925cdb16239a0b82b9 Mon Sep 17 00:00:00 2001
From: Hao Kung <haok@microsoft.com>
Date: Wed, 4 Nov 2015 13:54:37 -0800
Subject: [PATCH] Cookies Forbid now includes ReturnUrl

---
 .../CookieAuthenticationHandler.cs                | 15 +++++++--------
 .../Cookies/CookieMiddlewareTests.cs              |  1 +
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/Microsoft.AspNet.Authentication.Cookies/CookieAuthenticationHandler.cs b/src/Microsoft.AspNet.Authentication.Cookies/CookieAuthenticationHandler.cs
index 4f61ca5822..ad7dc7e862 100644
--- a/src/Microsoft.AspNet.Authentication.Cookies/CookieAuthenticationHandler.cs
+++ b/src/Microsoft.AspNet.Authentication.Cookies/CookieAuthenticationHandler.cs
@@ -327,14 +327,13 @@ namespace Microsoft.AspNet.Authentication.Cookies
 
         protected override async Task<bool> HandleForbiddenAsync(ChallengeContext context)
         {
-            var accessDeniedUri =
-                Request.Scheme +
-                "://" +
-                Request.Host +
-                OriginalPathBase +
-                Options.AccessDeniedPath;
-
-            var redirectContext = new CookieRedirectContext(Context, Options, accessDeniedUri);
+            var returnUrl = new AuthenticationProperties(context.Properties).RedirectUri;
+            if (string.IsNullOrEmpty(returnUrl))
+            {
+                returnUrl = OriginalPathBase + Request.Path + Request.QueryString;
+            }
+            var accessDeniedUri = Options.AccessDeniedPath + QueryString.Create(Options.ReturnUrlParameter, returnUrl);
+            var redirectContext = new CookieRedirectContext(Context, Options, BuildRedirectUri(accessDeniedUri));
             await Options.Events.RedirectToAccessDenied(redirectContext);
             return true;
         }
diff --git a/test/Microsoft.AspNet.Authentication.Test/Cookies/CookieMiddlewareTests.cs b/test/Microsoft.AspNet.Authentication.Test/Cookies/CookieMiddlewareTests.cs
index 646375b880..8af2b88780 100644
--- a/test/Microsoft.AspNet.Authentication.Test/Cookies/CookieMiddlewareTests.cs
+++ b/test/Microsoft.AspNet.Authentication.Test/Cookies/CookieMiddlewareTests.cs
@@ -645,6 +645,7 @@ namespace Microsoft.AspNet.Authentication.Cookies
             Assert.Equal(HttpStatusCode.Redirect, transaction2.Response.StatusCode);
             var location = transaction2.Response.Headers.Location;
             Assert.Equal("/Account/AccessDenied", location.LocalPath);
+            Assert.Equal("?ReturnUrl=%2Fchallenge", location.Query);
         }
 
         [Theory]