RedirectResult

RedirectResult in ASP.NET Core MVC — Mastering Navigation & PRG Pattern

In web development, you frequently need to send users somewhere else — after a form submission, after login, or when a page has moved permanently. ASP.NET Core provides multiple redirect mechanisms, each serving a specific HTTP purpose. Understanding when to use each is essential for building production-grade applications.

1. WHAT Are Redirect Results?

Redirect results are ActionResult types that instruct the browser to make a new HTTP request to a different URL. Instead of returning HTML content, the server sends a 3xx HTTP status code with a Location header, causing the browser to automatically navigate to the new URL.

2. The Complete Redirect Family

Method	HTTP Code	Type	Use Case
`RedirectToAction()`	302	Temporary	Navigate to another action in your app (most common)
`RedirectToActionPermanent()`	301	Permanent	SEO migration — old action moved permanently
`RedirectToRoute()`	302	Temporary	Navigate using route names instead of action names
`Redirect()`	302	Temporary	Navigate to an external URL or absolute path
`RedirectPermanent()`	301	Permanent	Old URL permanently moved (SEO)
`RedirectPreserveMethod()`	307	Temporary	Redirect but keep the original HTTP method (POST stays POST)
`RedirectPermanentPreserveMethod()`	308	Permanent	Permanent redirect, preserve HTTP method
`LocalRedirect()`	302	Temporary	Safe redirect — only allows local URLs (prevents open redirect attacks)

3. REAL-TIME PRODUCTION EXAMPLES

Example 1: Post-Redirect-Get (PRG) — The Most Common Pattern

public class OrdersController : Controller
{
    [HttpPost]
    [ValidateAntiForgeryToken]
    public async Task<IActionResult> PlaceOrder(OrderViewModel model)
    {
        if (!ModelState.IsValid)
            return View("Checkout", model);   // Return view (no redirect)

        var orderId = await _orderService.CreateAsync(model);

        TempData["Success"] = $"Order #{orderId} placed!";

        // RedirectToAction → 302 → Browser makes new GET request
        return RedirectToAction(nameof(Confirmation), new { id = orderId });
    }

    public IActionResult Confirmation(int id)
    {
        // This is a GET — user can refresh safely without re-submitting
        var order = _orderService.GetById(id);
        return View(order);
    }
}

Example 2: Safe Redirect After Login (Preventing Open Redirect Attacks)

[HttpPost]
public async Task<IActionResult> Login(LoginViewModel model, string returnUrl)
{
    if (!ModelState.IsValid) return View(model);

    var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, false, false);

    if (result.Succeeded)
    {
        // SECURITY: Use LocalRedirect instead of Redirect
        // This prevents attackers from crafting URLs like: /login?returnUrl=https://evil-site.com
        if (!string.IsNullOrEmpty(returnUrl) && Url.IsLocalUrl(returnUrl))
            return LocalRedirect(returnUrl);    // Only allows URLs on YOUR domain

        return RedirectToAction("Index", "Dashboard");
    }

    ModelState.AddModelError("", "Invalid login attempt");
    return View(model);
}

Example 3: SEO-Friendly Permanent Redirects (URL Migration)

// Old URL structure: /products/view/42
// New URL structure: /shop/42
// 301 tells search engines to update their index permanently

[Route("products/view/{id:int}")]
public IActionResult OldProductPage(int id)
{
    // 301 Permanent Redirect — SEO juice transfers to new URL
    return RedirectToActionPermanent("Details", "Shop", new { id });
}

// External URL redirect (old domain to new domain)
[Route("legacy-page")]
public IActionResult LegacyPage()
{
    return RedirectPermanent("https://newdomain.com/updated-page");
}

Example 4: Redirect to Named Routes

// Define a named route
app.MapControllerRoute(
    name: "productDetail",
    pattern: "shop/{category}/{slug}",
    defaults: new { controller = "Shop", action = "Product" }
);

// Redirect using route name (decoupled from controller/action names)
public IActionResult GoToProduct()
{
    return RedirectToRoute("productDetail", new { category = "electronics", slug = "iphone-15" });
    // Generates: /shop/electronics/iphone-15
}

4. 301 vs 302 — The Critical SEO Distinction

302 — Temporary Redirect

Browser requests the new URL this time only
Search engines keep the old URL in their index
Use for: PRG pattern, login flows, A/B testing

301 — Permanent Redirect

Browser caches the redirect and never requests the old URL again
Search engines transfer all SEO ranking to the new URL
Use for: URL restructuring, domain migration, slug changes

Security: Open Redirect Vulnerability

Never use Redirect(returnUrl) with user-supplied URLs without validation. Attackers can craft login links like /login?returnUrl=https://phishing-site.com. Always use LocalRedirect() or validate with Url.IsLocalUrl(returnUrl). This is a real OWASP Top 10 vulnerability that has been exploited in major applications.

5. Best Practices

Always use PRG for form submissions to prevent duplicate submissions on browser refresh
Use nameof() instead of magic strings: RedirectToAction(nameof(Index))
Use LocalRedirect() for user-supplied return URLs to prevent open redirect attacks
Use 301 only when you're certain the URL has permanently moved — browsers cache it aggressively
Combine with TempData to pass notification messages across the redirect boundary

6. Interview Mastery

Q: "What is the Post-Redirect-Get pattern and why is it important?"

Architect Answer: "PRG is a web design pattern that prevents duplicate form submissions. After processing a POST request (e.g., placing an order), the server responds with a 302 redirect to a GET endpoint (e.g., order confirmation). If the user hits refresh, the browser re-sends the GET request — not the POST. Without PRG, refreshing after a POST would re-submit the form, potentially creating duplicate orders, double charges, or duplicate database records. In every production application I've built, POST handlers always end with RedirectToAction(), never View()."

Interview Q&A for this course