Security :: Response.Redirect To Current Page With Cookieless Authentication?
Mar 30, 2011
I have a logon/register control that is on several pages. Users are logged on with code: - FormsAuthentication.SetAuthCookie(Userid, False) Response.Redirect(Request.Url.AbsoluteUri) ' Round trip is necessary to complete logon
All this was working OK, except that there was a problem with Internet Explorer users: if their browser had the default privacy setting the authorization cookie was rejected. There was no message, but they were not logged on. See [URL] To try to solve this problem I changed to cookieless authentication, but now the logon control doesn't work. The problem is that after cookieless authentication the URL changes from
[URL]
However Request.Url.AbsoluteUri remains http://localhost:3641/TestGDB/login_pages/home2.aspx even after the logon, and so with cookieless authentication the user is not logged on as there is no authentication ticket in the redirect URL.
The problem is "solved" by changing the Redirect statement to Response.Redirect("~/login_pages/home2.aspx") which works perfectly for this particular page, but is obviously wrong when the control is on other pages.
I have a page that is used to add info from a gridview into a user's profile. I have explained my issues after all of the code. Here is the applicable code(s) involved:
Protected Sub AddToCart(ByVal sender As Object, ByVal e As CommandEventArgs) For Each gvr In GridViewItems.Rows Dim txtGiftAmt As TextBox = (CType(gvr.FindControl("txtGiftAmt"), TextBox)) If txtGiftAmt.Visible = True Then Dim customPrice As String = txtGiftAmt.Text.ToString 'HERE is where I would like to set the new price variable value somehow End If Next Dim scart As New ShoppingCart scart.AddCartItem(e.CommandArgument.ToString()) Response.Redirect("~/ShoppingCart.aspx") End Sub
This sub is called by the following button when clicked:
[Code]....
Here is the sub from the ShoppongCart Class named AddCartItem:
[Code]....
Here is the problem that I am having: I have one specific item that allows user's to define their own price (for this item only). By putting this price in a session variable seems to be the easiest way to handle this (at least for me), but the session variable's value always "lags behind". By this I mean that the first time the items is entered, it uses the default value of cartItem.ItemPrice. The second time the same item is added (with the intention of a different price), this new item's cartItem.ItemPrice is set as the first session("customPrice").
Because the user is selecting his/her own price for this item, I am not worried about lack of security involved with using query string to pass this price, but I can't get the string passed to the ShoppingCart class correctly (shows up null). Is there a way to append this customPrice to the current page's query string before the Response.Redirect takes place? If I understand this correctly, the Response portion "posts back" to the current page before the Redirect sends us on our merry way, right?
I just observed something with the .net 3.5 VS2010 Login control. It seems to response.redirect is doing something I cant explain:
[Code]....
after I hit the response.redirect all that is happening is that I stay on the login page and the URL changes to http://localhost:50324/Account/Login.aspx?ReturnUrl=%2fAccount%2fAdmin%2fApproval.aspx
Why am I not properly redirected? I used server.transfer, that put me on the right page (Approval.aspx) BUT as soonas I clicked a button, I was back at Login.aspx.
we would like to redirect the user to a given page if the authentication to our SharePoint site fails (i.e. the standard windows login prompt pops up three times - we are using windows authentication). No matter what option we try it always ends up bringing the user back to a blank page.
We have tried writing a HttpModule (and catch the if Response.StatusCode = 401), which doesn't seem to fire any events if the user is not authenticated. We have tried writing a HttpHandler, but of course we can redirect the user if there is an error code but can't continue onto the desired site if not. We have tried doing the following in the web.config:
I am in the process of designing application in case user authentication if failed i need to redirect to default page (NT Authentication). Is there any way you can redirect the user on IIS if the user is fail go through the NT authenticaiton at IIS level.Options 1 : Always land the user to defalut page and validate there and redirect to site based on the access give the directory level access. I am looking if there any options to let the user to default page in case user access is denied.
As I have migrated Web Application from 3.5 (VS 2008 ) to 4.0 Vs (2010)
Now i am having problem with Response.Redirect
As I in .aspx pages i have found the following solution and it is working fine.
old Code with is not Working in Vs2010
[code]....
But now I need to Redirect from the class librarySo can any one guide me on the same.. i can i redirect .. AS I have try with HttpContext.Current.Response.Redirect(strURL); but it is not working.
if ((Request.QueryString["UbytovaniePrispevokID"].ToString()) == "")[code]......
What i want to do is.. I have one main page with new posts Each subject of the new post is the link to Another page where is Specific post and coments and user can leave a coment.
What I want is when the Request.QueryString["UbytovaniePrispevokID"].ToString()) == "" or null I want to redirect to error page ...
I am using ASP.Net's forms authentication, but do not want the default behavior of redirecting to a login page when a restricted area is accessed. Instead I would like to invoke a javascript JQuery dialog for the login on the current page, preventing the content behind from loading.My only issue is that by default the forms authentication wants to redirect. Is there a handler that I can hook into, or some other option to prevent the redirect?
I am currently having a spot of bother in something im trying to create. I want it so when a user who is in a certain role logs in they are directed to a certain page, and any other normal users are directed to another page.
I think i have this sorted via code but...
-The first time it will work, the 'admin' user will get directed to the appropriate page
-I then log out and log in as a normal user and get directed to the appropriate page
-then when i log out of that users account and back into the admin one i get directed to the normal users page instead.
-additional to this, I tried it on a different machine logging in as the admin user only to be redirected to the normal users page (is my session being stored somewhere?)
Ive traced through the problem and the user name and password being subbmitted are what they should be, yet it skips the true part of my IF statement for being in that role.
Here is my code I am using on the login form:
[Code]....
-When stepping through if seen it work and not work with the same values, I cant understand the logic of its inconsistency
the code i am using for the logout is (this is on my masterpage):
We just switched to VS2010 and seems like the forms authentication is behaving differently.
Our setup is that we have a default page (default.aspx) so that if you link to the root folder of the site, rather than a specific page, you get switched to default.aspx.
In addition, we have a working forms authentication system set up so that if you try to go to any of the pages you get redirected to a login.aspx page.
The login page can either redirect you to the forms authentication default page (default.aspx) or to the requested URL.
I'm not the one that configured this originally, but it looks like we are getting the originally requested URL from the authentication redirect, since Page.Request.Url = "http://.../Login.aspx/ReturnURL=<requestedpage>"
The problem is that this is failing to work when the original url is the root folder. In VS2008, <requestedpage> would be "/rootfolder/default.aspx", whereas now (in VS2010) we're getting "/rootfolder/". In other words, the site redirect used to be happening before the authentication check, and now it seems to be happening afterwards.
This is a problem because when we are checking to see if we need to redirect to something other than the default page, we check to see if the return URL is empty or matches the authentication defaultURL (which is also "default.aspx". If it matches, we go straight to the default page. If it doesn't we do some processing and then do the redirect. The extra processing is producing strange results when the browser is redirected to the rootfolder and therefore to the default page.
For now, I'm able to additionally test for Request + "default.aspx" (which resolved to the authenticaiton defaultURL), but this feels clunky and I can see headaches in the future if we ever need to rename default.aspx.
P.S. It has occurred to me that it's possible that something changed in web.config or another setup file when we did our conversion to VS2010. I can't find it, but that doesn't mean it's not there.
how to redirect to a custom URL on Forms Authentication timeout? The timeout is working but it is only caught when I try to go to a page in my application because each Page_Load method is wrapped in a custom IsLoggedIn method. Here is the settings I have so far in the Web.config.
I have an ASP .NET website that uses cookieless sessions When the initial request is made to the site IE just displays the standard "Internet Explorer cannot display the webpage" message Firefox displays the following message: The page isn't redirecting properly Firefox has detected that the server is redirecting the request for this address in a way that will never complete. *This problem can sometimes be caused by disabling or refusing to accept cookies. The site works fine with my development server and under IIS6. If I switch off cookieless sessions then everything is fine
Per different user mode, some pages should not be accessible by users unless they have a valid session key.In your opinions -- would it be better to have a list of acceptable pages in the master page, and check if the current page is valid for the current user? Or handle this on every child page?I'm thinking master page, just want to hear what your input would be.
I've got a site called domain.com and also another product on product.domain.com. The product.domain.com requires authentication to access it. For consistancy in the user experience I have set the login url in the web.config on product.domain.com to be http://domain.com/Login.aspx. This redirection is working ok - and a sample url would be:
The problem is that the RedirectURL does not take into account that the request originally came from product.domain.com so when the authentication is successful the user is not redirected back to product.domain.com
I have come up with a solution for this but would like feedback if possible.
I changed the loginURL in the web.config to http://domain.com/Login.aspx?domain=product.domain.com so the sample url is now:
I then override the LoggedIn event in the membership control and check to see if the domain value pair is specified and if it is I redirect to the domain + ReturnURL.
As I said previously i'd appreciate any comments or other ways to achieve the same result.
And a SQL Server database with ASP.NET Membership and Roles. I am using the LoginView control with the AnonymousTemplate and LoggedInTemplate to manage the user's interaction with logging in and out. The problem I am having is that I am authenticating the user against the database:
If Membership.ValidateUser(_userName, _txtLoginPass.Text) Then returns True and: FormsAuthentication.SetAuthCookie(_userName, False) sets the cookie correctly: FormsAuthentication.Decrypt(FormsAuthentication.GetAuthCookie(_userName, False).Values(0)) {System.Web.Security.FormsAuthenticationTicket} CookiePath: "/" Expiration: #1/21/2010 1:42:27 PM# Expired: False IsPersistent: False IssueDate: #1/21/2010 1:22:27 PM# Name: "jaymo " UserData: "" Version: 2 but when I check HttpContext.Current.User.Identity.IsAuthenticated it always returns False. If done this before and it worked fine. I cannot find any mistake I might have made or where something might have changed between ASP.NET 2.0 and 3.5.
I'm trying to get the previous page URL after I do a response write and i've looked around the web and people are using HTTP_REFERER but that doesn't work with Response.Redirect so is there anyway to get the URL of the previous page?
I have this code on a few pages and i need to know which page it is coming from when it gets to the servererror/default.aspx page
Response.Redirect("servererror/default.aspx?404")
And on my servererror/default.aspx page i'm just trying to grab the previous page URL and put it into the Session Session("ErrorPage")
I had a problem lately that I managed to have for it 2 solutions and I am wondering which one should I choose. Here the issue : When a user requests my site ( www..com), I am gonna redirect him to (www..com/en) because it is a multilingual site. I am using .NET routing to to that. In the Page_Load of the default.aspx page I check if the language in the Routing Collection is available, I don't redirect. If it is not available I redirect to (www._.com/en). Here is the code :
if (Page.RouteData.Values.Count == 0) { if (SessionManager.IsUserAuthenticated) { //Redirect To User HomePage for his Main Language Page.Response.Redirect(UserManager.GetUserMainPageWhenLoggedIn(SessionManager.LoggedUser.LanguageID,true)); } else { Page.Response.Redirect(String.Format("~/{0}", Cultures.en.ToString()), true); Helpers.SetCulture(Cultures.en.ToString()); } } I am using Response.Redirect to do that. Now if I set to End The Response the method parameter, it will throw an exception so I can handle it throught try { this.InitializeLayout(); } catch (ThreadAbortException ex) { } catch (Exception ex) { ExceptionManager.LogException(ex); }
If I don't end the Response, the page will execute the whole lifecyle, redirect and then do it again which results a double execution of the page. My main objective is not to execute the page 2 times to minimize processing ( if the site gets hammered by a big traffic). If I end the Response, a ThreadAbortExeption will be thrown and I think this is not good for the site.( I can catch it and not log it).
I am generating Word docs from a gridview. The Word doc gets sent to the client using a Resposne object. However, I would also like to highlight the row in question and update a file generation log display (another gridview).
All the data fucntions on the server side fire fine, but any visual updates to the current page never hit the client. The Response object seems to take over the entire response.
Is there any way to accomplish both: execute the Response and update the current page?
