Basically this is a question of telling the difference between having and
authenticated user hit the back button to the login form or attempting to
access a new resource the user isn't authorized for.

I am using forms based authentication with roles and that works as expected.
In my login form I already have code to display a "you are already logged
on" message rather than the user/password entry if the user directly returns
to the login form. This can easily happen by using the "back" button. It's
simple enough to check Request.IsAuthenticated if (!IsPostBack) and see
that the user has already logged on.

The default action is to simply load the login form even if the user is
already authenticated. If the user is already authenticated I can't just
assume the form is loaded due to accessing a directory the user's role does
not grant access to. Without form authentication HTTP error 403 would result
but I don't know of any way to test for why the authentication form was

If the login form is called due to unauthorized access of a resource for an
authenticated user then HttpContext.Current.Error is still null and the
Request.UrlReferrer isn't set either.

Does anyone know of a way to determine this information?