Asp.net forms authentication login loop
https://stackoverflow.com/questions/542429
-
23-08-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
How do you solve the infinite login loop problem when you are using cookieless sessions and cannot change the name of login.aspx to a httphandler ?
i.e. When a user with admin rights hits the logout button and the return url to a restricted page is passed to login.aspx then another user without admin rights try's to login they get redirected back to the login page.
I have come across this solution but I cannot change the name of login.aspx to a http handler, and the isauthenticated function doesn't seem to work in the aspx page with cookieless auth because the forms auth ticket seems to be stripped from the url when redirected back to the login page.
EDIT:
Because this application is already in production I cannot alter the page flow of the login/logout/timeout process or rename the login page.
Solution
Check if the user is authorized to access the page in the returnUrl, after log in on the login.aspx page. You might use this method of the UrlAuthorizationModule (or a custom one if it works best for you):
System.Web.Security.UrlAuthorizationModule.CheckUrlAccessForPrincipal(
returnUrl,
userPrincipal,
GET");
If the user isn't authorized, just redirect to a page that the user can access.
To get the user Principal:
var roles = System.Web.Security.Roles.GetRolesForUser(username);
var principal = new System.Security.Principal.GenericPrincipal(
new System.Security.Principal.GenericIdentity(username),
roles
);
OTHER TIPS
We had a similar problem, and I fixed it doing the following:
If "LogOut".Equals(e.CommandName) Then
FormsAuthentication.SignOut()
Response.Redirect("~/Login.aspx")
End If
And then in Login.aspx we change the PostBackUrl to Login.aspx if it contains a ReturnUrl parameter that sends the user back to Login.aspx.
A few options...
One, redirect manually back to Login.aspx when a user is logged out, so there is no ReturnURL. Have a meta-refresh on your pages that matches the session timeout so the user doesn't click on resources they suddenly can't get to.
Two, always log someone out in the Page_Load of Login.aspx. Hey, why not? I can think of some reasons, but maybe they don't apply to your situation.
Three, ignore the ReturnURL. You don't have to call RedirectFromLoginPage! Redirect the user to a default landing page on login.
Could you change the page flow?
What I mean is, rather then redirect back to the login.aspx page when a user does not have access to a resource, redirect them to a information page.
This page explains the reasons for the redirect, and gives them options like:
1. Click here to login as another user.
2. Click here to request access to the page.
3. Click here to login again, if your session has expired.
This would remove the circular reference, and thus the problem.
What about adding a http module that checks if the Request.UrlReferrer is the login page and if so checks if they are authorized to access the Request.Url and if not redirects them to a "You are not authorized to view this page." page.
Although you say you can't change the name of login.aspx to a HTTP handler, have you tried adding a HTTP 301 redirect so that whenever login.aspx is requested the server redirects the user to a HTTP handler e.g. login.ashx?
