PDA

View Full Version : [CLOSED] Forms authentication RedirectFromLoginPage not working



CarWise
Jun 04, 2012, 2:04 PM
Hi,

New project, new problems :)

I'm using forms authentication in this new project. The FormsAuthentication.RedirectFromLoginPage code, doesn't redirect me to the initial page , but when failure the messagebox opens.. so that works. Any idea ?

These are my settings in the web.config:



<authentication mode="Forms">
<forms
loginUrl="Login.aspx"
defaultUrl="Default.aspx"
slidingExpiration="true"
timeout="60"
name=".Auth"
protection="All">
</forms>

</authentication>
<authorization>
<deny users="?"/>
</authorization>


I've added this to the global.asax



protected void Application_AuthenticateRequest(object sender, System.EventArgs e)
{
string url = HttpContext.Current.Request.RawUrl.ToLower();
if (url.Contains("ext.axd") || url.Contains(".css"))
{
HttpContext.Current.SkipAuthorization = true;
}
}


and this is the login page (html)



<%@ Page Language="C#" CodeFile="Login.aspx.cs" Inherits="Login" %>
<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>
<!DOCTYPE html>
<html>
<head id="Head1" runat="server">
<title>Inloggen CarWise Support</title>
<link href="Style/StyleSheet.css" rel="stylesheet" type="text/css"/>
</head>
<body>
<form id="Form1" runat="server">
<ext:ResourceManager ID="ResourceManager1" runat="server" CleanResourceUrl="false"/>
<ext:Window ID="winLogim"
runat="server"
Width="350"
Height="120"
Title="Inloggen CarWise Support"
Icon="LockAdd"
Closable="false"
BodyPadding="5"
Layout="Form">
<Defaults>
<ext:Parameter Name="LabelWidth" Value="125" Mode="Raw" />
</Defaults>
<Items>
<ext:NumberField
ID="nfLogin"
runat="server"
FieldLabel="Login"
AnchorHorizontal="100%"
HideTrigger="true"
/>
<ext:TextField ID="tfPassword"
runat="server"
Vtype="password"
FieldLabel="Wachtwoord"
InputType="Password"
MsgTarget="Side"
AnchorHorizontal="100%"/>


<ext:Button ID="btnLogin" Text="Inloggen" runat="server">
<DirectEvents>
<Click OnEvent="Button_Click"/>
</DirectEvents>
</ext:Button>
</Items>
</ext:Window>
</form>
</body>
</html>


Codebehind



using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.Services;
using System.Web.UI;
using System.Web.UI.WebControls;
using Ext.Net;




public partial class Login : System.Web.UI.Page
{
protected void Button_Click(object sender, DirectEventArgs e)
{
String cDebiteurID = nfLogin.Text;
String cPassword = tfPassword.Text;

if (cDebiteurID="1" && cPassword="password")
{
FormsAuthentication.RedirectFromLoginPage(cDebiteu rID, false);
}
else
{
ExtNet.Msg.Alert("Foute login", "De door u gekozen combinatie is bij ons niet bekend.").Show();
}
}
}

Vladimir
Jun 04, 2012, 2:23 PM
Standard redirect methods will not work with direct events
Please use


X.Redirect(FormsAuthentication.GetRedirectUrl(cDeb iteurID, false));




I've added this to the global.asax



1
2
3
4
5
6
7
8

protected void Application_AuthenticateRequest(object sender, System.EventArgs e)
{
string url = HttpContext.Current.Request.RawUrl.ToLower();
if (url.Contains("ext.axd") || url.Contains(".css"))
{
HttpContext.Current.SkipAuthorization = true;
}
}








It is big security hole on your application. If i add the following query string to url then authorization will be skipped


url?ext.axd


May be this version is better


protected void Application_AuthenticateRequest(object sender, System.EventArgs e)
{
string url = HttpContext.Current.Request.FilePath;


if (url.EndsWith("ext.axd"))
{
HttpContext.Current.SkipAuthorization = true;
}
}

Vladimir
Jun 04, 2012, 2:25 PM
Also, try to update from SVN. Recently, we fixed one bug os related with forms authentication

CarWise
Jun 04, 2012, 2:38 PM
Also, try to update from SVN. Recently, we fixed one bug os related with forms authentication

Thanks for the info Vladimir. I've copied and pasted the global.asa code from earliers posts.. so need to be more careful :)

I will look into your remarks..

Martin

CarWise
Jun 05, 2012, 7:04 AM
Standard redirect methods will not work with direct events
Please use


X.Redirect(FormsAuthentication.GetRedirectUrl(cDeb iteurID, false));



I needed one extra line of code above this one. Otherwise it was an endless loop login --> login ---> login: (although the validation was correct)



FormsAuthentication.SetAuthCookie( Convert.ToString( DebiteurID ) , false );


Now it works

Regards,

Martin

Daniil
Jun 05, 2012, 1:25 PM
Yes, that is correct.