Allow action method to be accessed only by anonymous user in Asp.Net Core MVC

Overview

In a typical ASP.NET Core application, you globally restrict access to authenticated users. The built-in [AllowAnonymous] attribute allows specific actions for anonymous users. However, the opposite scenario—restricting an action to only anonymous users—requires a custom filter.

This tutorial demonstrates how to create a custom AnonymousOnlyFilter attribute to prevent authenticated users from accessing specific pages or actions.

Note

Use cases include:

Login and registration pages (should only be accessible before authentication)
Password reset pages (prevent authenticated users from resetting another user’s password)
Public signup forms (keep authenticated users from accessing)

Creating the AnonymousOnlyFilter

First, create a class file AnonymousOnlyFilter.cs

1
public class AnonymousOnlyFilter : ActionFilterAttribute
2
{
3
    public override void OnActionExecuting(ActionExecutingContext context)
4
    {
5
        if (context.HttpContext.User.Identity.IsAuthenticated)
6
        {
7
            context.Result = new RedirectToActionResult("Index", "Home", "");
8
        }
9
    }
10
}

How It Works

This custom filter:

Derives from ActionFilterAttribute — This base class provides the OnActionExecuting hook, which executes before any controller action runs
Checks user authentication — context.HttpContext.User.Identity.IsAuthenticated returns true if the user is logged in
Redirects authenticated users — If the user is authenticated, they’re redirected to the home page (you can change this redirect target)

Tip

You can customize the redirect target by changing new RedirectToActionResult("Index", "Home", ""). The parameters are: action name, controller name, and route values.

Applying the Filter

Use the [AnonymousOnlyFilter] attribute on specific actions or the entire controller:

Example: On Individual Actions

1
public class HomeController : Controller
2
{
3
    // This action is accessible to everyone
4
    public IActionResult Index()
5
    {
6
        return View();
7
    }
8

9
    // Only anonymous users can access this
10
    [AnonymousOnlyFilter]
11
    public IActionResult Login()
12
    {
13
        return View();
14
    }
15

16
    // Only anonymous users can access this
17
    [AnonymousOnlyFilter]
18
    public IActionResult Register()
19
    {
20
        return View();
21
    }
22

23
    // Regular authenticated-only action
24
    [Authorize]
25
    public IActionResult Dashboard()
26
    {
27
        return View();
28
    }
29
}

Example: On Entire Controller

1
[AnonymousOnlyFilter]
2
public class AuthController : Controller
3
{
4
    // All actions in this controller are anonymous-only
5
    public IActionResult Login() => View();
6
    public IActionResult Register() => View();
7
    public IActionResult ForgotPassword() => View();
8
}

Warning (Filter Execution Order)

If you apply both [AnonymousOnlyFilter] and [Authorize] to the same action, [Authorize] is checked first, so the AnonymousOnly filter never executes. Remove [Authorize] when using [AnonymousOnlyFilter].

Summary

With this custom filter, you can easily protect anonymous-only pages from being accessed by authenticated users. It’s a simple but powerful way to enforce your application’s access control logic beyond the standard [Authorize] and [AllowAnonymous] attributes.