IIS 7 With Url Rewrite Module 2.0 - Setting 401 Status Codes And The ReturnUrl
Feb 2, 2011
I have a website hosted on IIS7 with the url rewrite module 2.0 installed. It is run by content management that looks at the url and returns a 401 error if the current user does not have permission to view the page. This gets picked up by the asp.net url authorization module which then kicks the page over to the loginUrl page as specified in the web.config (forms authentication).
This works perfectly on my local machine - which is IIS7 and windows7.
If the url is, say, /612/some-string the user gets directed to the login page at /66/login?ReturnUrl=/612/some-string
The url rewriting looks at the first part of the url for the document id. The real url would be this: index.aspx?documentId=612
Unfortunately, when I deployed this to our staging server, the ReturnUrl isn't the rewritten url, it's the original url. This causes all sorts of problems.
The staging server is also IIS7 with the url rewrite module 2.0 installed. It's Windows 2008 server SP2. Both are running asp.net 3.5.
My only guess is that the machine.config orders the default httpModules differently, and the .net forms authentication module is jumping in before the url has been rewritten.
I'll review that soon, but in the meantime has anyone experienced this problem and solved it?
Update
I also tried changing
Response.StatusCode = 401;
to
FormsAuthentication.RedirectToLoginPage();
Which gets me a bit ahead, but still directs the user back to the url that hasn't been rewritten.
I'm probably going to use the URL rewrite module for IIS 7 eventually and I have a fairly straight forward question that I really can't find the answer to.
If you have a base case of:
http://yoururl.com/page.aspx?ID=7 You can obviously have it rewritten to: http://yoururl.com/page/7 or whatever you want.
My question is this: When using this module can you still use Request.Querystring["page"] on the rewritten querystring. How does the Request.URL stuff work. Does asp.net still provide the un-rewritten url or does it provide the rewritten one.
I would assume that your C#/asp.net code is completely unaffected by the url rewriting, as that's more or less the point, but I want to be crystal clear.
Secondary question: What is the best practice for how you should code a website when using the rewritten. Should you code links in the written style, or continue using querystrings?
The IIS URL Rewrite Module ships with 3 built-in functions:
* ToLower - returns the input string converted to lower case. * UrlEncode - returns the input string converted to URL-encoded format. This function can be used if the substitution URL in rewrite rule contains special characters (for example non-ASCII or URI-unsafe characters). * UrlDecode - decodes the URL-encoded input string. This function can be used to decode a condition input before matching it against a pattern.
The functions can be invoked by using the following syntax: {function_name:any_string}
The question is: can this list be extended by introducing a Replace function that's available for changing values within a rewrite rule action or condition?
Another way to frame the question: is there any way to do a global replace on a URL coming in using this module?
It seems that you're limited to using regular expressions and back-references to construct strings - i.e. there's no search/replace mechanism to replace every instance of X with Y in {REQUEST_URI}, without knowing how many instances there are.
I've had a quick glance at the extensibility introduced in the 2.0 RTW and don't see any 'light' means of introducing this.
Hello, I'm trying to implement URL rewriting for the first time. I must use URL Rewrite Module IIS7 per my hosting company. All of the examples I have found so far will rewrite a url such as:
www.domain.com/ShowProduct.aspx?ID=233&Title=Product-Title, to: www.domain.com/ShowProduct/ProductTitle/233. The common scenario between these examples is that the rewrite chops off the .aspx & special characters and shuffles the query string parameters around. I get how that all works. However, I had something a little different in mind and I'm not sure if it can be accomplished.
My urls currently look like this: www.domain.com/ShowProduct?ID=233, and I would like them to look like this: www.domain.com/ShowProduct/Product-Title. The way I would imagine this working is, during the rewrite, pass the ID to the db and return the Title for the new url. You see, I currently don't need to pass the Title as a query string parameter and I'd prefer to not show the ID at all. This would be ideal. Can this be accomplished? Or
will I have to add the Title as a query string param and show the ID in rewritten url?
I have web services built with ASP.NET and ASP.NET clients consuming them. When consuming the webservices, how would I to force the clients to use https?
I don't want to force the whole site to use https by turning on require SSL in IIS.
Can I use the IIS7 URL rewrite module to re-route http requests to https?
For example when a user enters www.homeforhire.com they should be redirected to default.aspx (for operational reasons the user is then redirected to www.homeforhire.com/home.aspx).
Instead an error is caught in the Rewrite module (which should not be activated). I am using an http module to perform URL rewriting.
It appears as if the default document setup is not working correctly, and the requested page ~/ is being sent to the Rewrite module, causing an error (which is then caught by my error handler and the user is redirected to the home page).
Entering www.homeforhire.com/default.aspx works correctly.
Can anyone tell me why the default document settings in the web.config do not appear to be working?
http://mysite.com -> https://www.mysite.com OK http://www.mysite.com -> https://www.mysite.com NOT WORKING
I guess the condition is not being satisfied when I enter www.mysite.com in the browser, so there's no redirect and the page serves as HTTP instead of HTTPS.
I think I just need to modify the condition pattern, but I have almost nothing regex knowledge and I need this asap.
I'm writing an HTTP handler in ASP.NET 4.0 and IIS7 and I need to generate a file-not-found condition.
I copied the following code from Mathew McDonald's new book, Pro ASP.Net 4 in C# 2010. (The response variable is an instance of the current HttpResponse.)
response.Status = "File not found"; response.StatusCode = 404;
However, I found that the first line generates the run-time error HTTP status string is not valid.
If, instead of the lines above, I use the following:
response.Status = "404 Not found";
Then everything seems to work fine. In fact, I even see that response.StatusCode is set to 404 automatically.
My problem is that I don't want this to fail on the production server. So I'd feel much better if I could understand the "correct" way to accomplish this. Why did the first approach work for Mathew McDonald but not for me? And is the second approach always going to be reliable?
MVC has a method LogOn in AccountControllers. It has parameter returnUrl to redirect after login. I used this method to redirect to login page and back to previous page after logined by returnUrl parameter.My code in form view
I want to remove "returnurl=/blabla" from address bar when a user want to access to a login required page. Because I'm trying to redirect the user to a static page after login to do some selections.
Is it possible clear ReturnUrl from the server? I have a login page where the user logouts and I want to direct them to a specific page but when ReturnURL is set it overrides my redirect page.
Update:Ideally, I will only redirect a user who has just logged out versus someone who has bookmarked OR I will redirect regardless in special cases.So these are the cases:A link or bookmark -> should redirect to specified page in most case.A logout that has a returnurl -> should NOT redirect to the page,A special case -> should always redirect to my special case, i.e when a user needs to see something important
Is there a way to remove the returnurl from the logout/login status control?
For a testproject I use two Login pages. I order to do that I use a dispatcher page:
Dispatcher:
[Code]....
I then just redirect in the dispatcher to the real login-page according to the ReturnUrl. So far so good. The only problem I have is that I don't get redirected to the ReturnUrl once I'm logged in... Of course I add the ReturnUrl to the forwarded Login-Page (/Admin/Login.aspx?ReturnUrl=...).
I'm building my asp.net 4.0 website with url routing. It works great, except that I have stumbled upon one problem. The problem is that when a logged in user is on one of the non-public pages and gets loged out, the return url is set to the page he or she was previously visiting. When logging in again, the ReturnUrl is non routed url (something like login.aspx?ReturnUrl=somethingsomething). This poses a problem for some of my pages where I have a default value stored in the route; it simply doesn't get picked up with the non routed url of the ReturnUrl.The result is a broken page (404).
There is an "Add to Cart" button on product detail page, and If I click the button, it should be directed to login page.
After I login, it should be re-directed to the product detail page.
"Add to Cart" button is a CartConroller action.
In CartController.cs :
[Code]....
In AccountController.cs :
[Code]....
the product should not be added into the cart before login, so I put [Authorize] on AddToCart action.
however if I click the "add to cart" button, it directs to the login page, and if I login, it gives me an error because it lost all the AddToCart action's parameter information(e.g. Cart cart, int productId, string returnURL)
I am having an endless problem with the following.When a user logs in I want him directed to a spesific page an not the ReturnURL. How do I enforce this?I am coding in C#
I'm using ASP.NET Membership and Form Authentication and before redirecting to the returnURL I wanted to validate it. For those unfamiliar with the workflow, basically if you request a page that requires that you are authenticated, you are redirected to a login page. In the URL string you'll see a parameter called returnURL, e.g. [URL]
Whether you use this in a redirect such as Response.Redirect(returnURL) or indirectly through the FormsAuthentication.RedirectFromLoginPage method, it passes without validating returnURL.
FormsAuthentication.RedirectFromLoginPage does have a security check that it is isn't leaving the domain, but that still doesn't stop someone from putting enough random characters to cause an error.
I tried using System.IO.File.Exists(Server.MapPath(returnURL)) but given enough illegal characters it cause Server.MapPath to error.
Note: URLEncoding doesn't work because we are not cleaning a parameter, but the primary URL.
I'm having trouble with the ReturnUrl property using forms authentication. If my URL is [URL], the ReturnURL value in the querystring is ignored and it always sends me to the defaultUrl value default.aspx.
I've got a couple pages in my web app that are used by external applications. They will link to the pages, and pass in various querystring values to allow my app to do the searching and return the results in the page. The problem is, if the user is not yet logged into the web app, they are sent to the login page, and the ReturnURL is truncated to include only the first QueryString value. I lose the rest of the values. So far I haven't figured out a solution to this. Here's a quick example:
The external application links the user to: [URL]
If the user is not logged in they are sent to the login page, and the current URL looks like this: