Security :: Forms Authentication Across A Subdomain And The Redirect URL Failure?
Apr 9, 2010
Here's my scenario.
I've got a site called domain.com and also another product on product.domain.com. The product.domain.com requires authentication to access it. For consistancy in the user experience I have set the login url in the web.config on product.domain.com to be http://domain.com/Login.aspx. This redirection is working ok - and a sample url would be:
The problem is that the RedirectURL does not take into account that the request originally came from product.domain.com so when the authentication is successful the user is not redirected back to product.domain.com
I have come up with a solution for this but would like feedback if possible.
I changed the loginURL in the web.config to http://domain.com/Login.aspx?domain=product.domain.com so the sample url is now:
I then override the LoggedIn event in the membership control and check to see if the domain value pair is specified and if it is I redirect to the domain + ReturnURL.
As I said previously i'd appreciate any comments or other ways to achieve the same result.
What I want to do is take traffic that is going to shop.mywebsite.com and redirect or rewrite (I'm not sure of the terminology) the domain to be www.mywebsite.com/shop. Both shop.* and www.* are separate web applications (nopCommerce and Umbraco respectively) that don't seem to cooperate when I've tried to nest them. Both applications are in a Server 2008 R2/IIS 7.5 environment.
I've searched around stackoverflow and what I've found is a lot of answers to mapping the other direction (ie subfolder to a subdomain) but that's not what I'm looking for as far as I understand the problem.
The end goal is to combine the SEO reputation of the shop subdomain into the www subdomain. I readily admit that I might have this all backwards and am willing to try any suggestions I'm offered.
'm using the AutoCompleteExtender from the AJAX control toolkit on my aspx page - I have it wired up to a WCF service that is returning a string array and everything works happily.
If I change my service definition to include a demand for the caller to be authenticated, like so:
<OperationContract(), PrincipalPermission(SecurityAction.Demand, Authenticated:=True)> _Public Function GetLookupValues(ByVal prefixText As String, ByVal count As Integer, ByVal contextKey As String) As String()
Then the autocomplete extender stops working, and I get an authentication error in the service. The service is set up to use ASPNetCompatibility mode, and I was hoping that the extender would pass the authentication credentials for my logged in user - does anyone know how to make this work?
I am using ASP.Net's forms authentication, but do not want the default behavior of redirecting to a login page when a restricted area is accessed. Instead I would like to invoke a javascript JQuery dialog for the login on the current page, preventing the content behind from loading.My only issue is that by default the forms authentication wants to redirect. Is there a handler that I can hook into, or some other option to prevent the redirect?
We just switched to VS2010 and seems like the forms authentication is behaving differently.
Our setup is that we have a default page (default.aspx) so that if you link to the root folder of the site, rather than a specific page, you get switched to default.aspx.
In addition, we have a working forms authentication system set up so that if you try to go to any of the pages you get redirected to a login.aspx page.
The login page can either redirect you to the forms authentication default page (default.aspx) or to the requested URL.
I'm not the one that configured this originally, but it looks like we are getting the originally requested URL from the authentication redirect, since Page.Request.Url = "http://.../Login.aspx/ReturnURL=<requestedpage>"
The problem is that this is failing to work when the original url is the root folder. In VS2008, <requestedpage> would be "/rootfolder/default.aspx", whereas now (in VS2010) we're getting "/rootfolder/". In other words, the site redirect used to be happening before the authentication check, and now it seems to be happening afterwards.
This is a problem because when we are checking to see if we need to redirect to something other than the default page, we check to see if the return URL is empty or matches the authentication defaultURL (which is also "default.aspx". If it matches, we go straight to the default page. If it doesn't we do some processing and then do the redirect. The extra processing is producing strange results when the browser is redirected to the rootfolder and therefore to the default page.
For now, I'm able to additionally test for Request + "default.aspx" (which resolved to the authenticaiton defaultURL), but this feels clunky and I can see headaches in the future if we ever need to rename default.aspx.
P.S. It has occurred to me that it's possible that something changed in web.config or another setup file when we did our conversion to VS2010. I can't find it, but that doesn't mean it's not there.
how to redirect to a custom URL on Forms Authentication timeout? The timeout is working but it is only caught when I try to go to a page in my application because each Page_Load method is wrapped in a custom IsLoggedIn method. Here is the settings I have so far in the Web.config.
I am currently having a spot of bother in something im trying to create. I want it so when a user who is in a certain role logs in they are directed to a certain page, and any other normal users are directed to another page.
I think i have this sorted via code but...
-The first time it will work, the 'admin' user will get directed to the appropriate page
-I then log out and log in as a normal user and get directed to the appropriate page
-then when i log out of that users account and back into the admin one i get directed to the normal users page instead.
-additional to this, I tried it on a different machine logging in as the admin user only to be redirected to the normal users page (is my session being stored somewhere?)
Ive traced through the problem and the user name and password being subbmitted are what they should be, yet it skips the true part of my IF statement for being in that role.
Here is my code I am using on the login form:
[Code]....
-When stepping through if seen it work and not work with the same values, I cant understand the logic of its inconsistency
the code i am using for the logout is (this is on my masterpage):
we would like to redirect the user to a given page if the authentication to our SharePoint site fails (i.e. the standard windows login prompt pops up three times - we are using windows authentication). No matter what option we try it always ends up bringing the user back to a blank page.
We have tried writing a HttpModule (and catch the if Response.StatusCode = 401), which doesn't seem to fire any events if the user is not authenticated. We have tried writing a HttpHandler, but of course we can redirect the user if there is an error code but can't continue onto the desired site if not. We have tried doing the following in the web.config:
Here is a use case of my login using a CustomMembershipProvider
User Logs in MembershipProvider validates user account User property of Membership is set to user details coming from the database An authentication ticket is created Forms authentication cookie is added. User is logged in
Here is a use case of my problem Stop whe web development server Start the web development server, and user is still logged in (due to cookie?) User property Membership is set to null due to server restart/failure Application throws exception due to null user value
The only solution I could think off is to clear all cookies on Application_Start() but I don't know how is that even possible as Request is out of context during application start.
I am in the process of designing application in case user authentication if failed i need to redirect to default page (NT Authentication). Is there any way you can redirect the user on IIS if the user is fail go through the NT authenticaiton at IIS level.Options 1 : Always land the user to defalut page and validate there and redirect to site based on the access give the directory level access. I am looking if there any options to let the user to default page in case user access is denied.
I have a logon/register control that is on several pages. Users are logged on with code: - FormsAuthentication.SetAuthCookie(Userid, False) Response.Redirect(Request.Url.AbsoluteUri) ' Round trip is necessary to complete logon
All this was working OK, except that there was a problem with Internet Explorer users: if their browser had the default privacy setting the authorization cookie was rejected. There was no message, but they were not logged on. See [URL] To try to solve this problem I changed to cookieless authentication, but now the logon control doesn't work. The problem is that after cookieless authentication the URL changes from
[URL]
However Request.Url.AbsoluteUri remains http://localhost:3641/TestGDB/login_pages/home2.aspx even after the logon, and so with cookieless authentication the user is not logged on as there is no authentication ticket in the redirect URL.
The problem is "solved" by changing the Redirect statement to Response.Redirect("~/login_pages/home2.aspx") which works perfectly for this particular page, but is obviously wrong when the control is on other pages.
I want to make a redirect to the specified page if authorization failed. And this is not general page. I want to make a specific redirect based the page user wants to open. How it can be done?
What is the simplest way to redirect a web request to an ASP.NET application to a subdomain?If a request comes into the URL http://somesite.com/foo.aspx, the new destination URL should behttp://www.somesite.com/foo.aspx or http://blog.somesite.com/foo.aspxHow can you programmatically redirect the request to the subdomain, keeping the rest of the URL intact?
I am new to asp.net and mvc 3. Currently I am experimenting with https. I use mvc 3, iis 7 and visual studio 2010 under windows 7.
The problem that I want to solve is the following.
The SignUp action should only be accessible via https.
My SSL certificate is issued only for a certain subdomain: secure.mydomain.com
The goal is that all requests to SignUp are redirected to secure.mydomain.com/SignUp such that the certificate fits to the domain.
Requests not using https simply should use mydomain.com.
I successfully installed the certificate to my local iis 7, and when I use the [RequireHttps] attribute, the connection is protected with this certificate.
My questions are:
How can I do the redirects right?
Is there a possibility to test this on my local machine where all request go to localhost?
I have an app that uses impersonation to gain access to a database (on server separate from IIS). The app connects to the database using a trusted connection and seems to be working just fine. However, we get these logon failure events in the security event viewer:
[Code]....
It must have something to do with impersonation because the login failure is for the domain account which my app is impersonating under. But again, the app is working fine so I'm having a hard time figuring out how to stop these logon failures.
i am trying to create a strong name for assembly.....by giving the below code----
assembly: AssemblyDelaySign(false)] assembly: AssemblyKeyFile(@"UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityinDebugABC.snk")] assembly: AssemblyKeyName("")]
when i am compiling project i am getting this error........
Error 1 Cryptographic failure while signing assembly 'C:UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityobjReleasecodeaccesssecurity.exe' -- 'Error reading key file 'UsersABCDocumentsVisual Studio 2008ProjectscodeaccesssecuritycodeaccesssecurityinDebugABC.snk' -- The system cannot find the path specified. '
I have two websites (domain and subdomain), something like this: www.website.ro and en.website.ro and I am trying to share a cookie between them. I have set the cookie domain to "website.ro", I tried setting it to ".website.ro", but it doesn't work. I can only read the cookie in the website that created it.
Here's the situation. I have an aspx page that is designed to receive a POST request with some XML values, parse the XML, grab the relevant items, and write them to the page. The problem arises when I try to launch the page using the POST request. When I launch using Fiddler, building the request manually and just pasting the XML in the body of the request everything works fine and dandy. When I launch the page from a basic HTML form, however, things don't go so great. The HTML form that I'm using looks like this:
[Code]....
When the page loads I get the error:
A potentially dangerous Request.Form value was detected from the client Everything I've read so far has told me that the solution is to add ValidateRequest="false" to the page directive in the top of the .aspx file, or in the pages element of the web.config file. But neither of these work. Afterwards, I still get the same error. Any idea what I need to do to make this work?