What is the most secure way to return a user to the previous page after re-authentication?

Question

We are using ASP.NET 4.0 with IIS. We went the MVC route.

We are developing a website that uses a session variable, and when that variable is reset, the user must login again, to re-authenticate. The way we check whether the user is authenticated is by loading each page and checking to see if the session variable is valid.

We want to send the user back to where they were working last, rather than the index page, but we want to know what is the most secure way of doing this.

We have two ideas at the moment:

1. Perhaps using a cookie to some extent

2. Using the query string in this manner:

   If SessionAuth = "Y" Then
           ViewBag.sessionauth = SessionAuth
           Dim SessionUserid As String = CType(HttpContext.Session("userid"), String)
           Dim SessionUsername As String = CType(HttpContext.Session("username"), String)
           ViewBag.SessionUserid = SessionUserid
           ViewBag.SessionUsername = SessionUsername 
   Else
           Dim pageId As String = Request.Url.AbsoluteUri 
           Return Redirect("/~~~/login.asp?pageid=" & pageId)
   End If
   

What do you all think?

P.S. the "/~~~/" is just to hide the project name.

Answer 1

Typically authentication is handled by specifying the authentication node in your web.config. For instance, for Form based authentication you would put :

<authentication mode="Forms">
      <forms name=".ADUAUTH" loginUrl="Login/login " protection="All" timeout="30" />
</authentication>

Also synchronize your session timeout with the authenication timeout

<sessionState mode="StateServer”  cookieless="false" timeout="30" />

The loginUrl is where ASP.NET will send users with a ReturnUrl specified whenever their authentication cookie is invalid. (e.g. http://myapp.com/Login/login?ReturnUrl=/The_Page_I_was_On)

Check out How ASP.NET Security Works