Raising HTTP errors from MVC5
MVC provides a lot of nice friendly ways of doing things, especially around user authorisation and authentication. You can easily mark a section as requiring authorisation and if it fails MVC handles this and takes the client to the logon screen.
But when you start to dig a little into it, things start getting very Microsofty, losing compliance with how the net should work with things like HTTP Status codes.
If you've logged in, but are unauthorised for a certain resource, you should be presented with an 403 error, not a logon screen. You have to implement this logic yourself by overriding the HandleUnauthorizedRequest() of the AuthorizeAttribute and implementing whatever checks you want before triggering some logic to return a 403.
Unfortunately things start to fall apart with IIS and MVC trying to make things easy for you with those confusing "user-friendly" error messages.
I've found the simplest way to handle this is to throw new HttpException(403, "Forbidden"). Then add a relevant
In terms of what happens over the wire, you still get an icky 302 when you try to access the original resource, but the final page you land on brings back with the correct 403 error. This should be fine for most web-clients and crawlers.