I'm using the ASP.NET Login Controls and Forms Authentication for membership/credentials for an ASP.NET web application. I've got pages such as PasswordRecovery.aspx that are accessable to only Anonymous users. When I click my login link from such a page, the login page has a ReturnUrl parameter in the address bar:

http://www.example.com/Login.aspx?ReturnUrl=PasswordRecovery.aspx

And then after a successful login, users are returned to the PasswordRecovery.aspx page specified in the ReturnUrl parameter to which they no longer have access.

I found the answer on Velocity Reviews. I handled the LoggedIn event to force a redirection to the DestinationPageUrl page.

Public Partial Class Login
    Inherits System.Web.UI.Page

    Protected Sub Login1_LoggedIn(ByVal sender As Object, _  
            ByVal e As System.EventArgs) Handles Login1.LoggedIn
        'overrides ReturnUrl page parameter
        Response.Redirect(Login1.DestinationPageUrl)
    End Sub

End Class