How to check if user validation (FormsAuthentication) was performed using cookies?
https://stackoverflow.com/questions/12814045
-
06-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a validation (authentication) problem within my ASP.NET application - I use FormsAuthentication with cookies enabled, however because of security reasons I am forced to ALSO use another, external source of authorization (which basing on username/password combination gives user "sessionID")
Application works fine when user logs in using his username/password credentials (thus, obtains sessionID). However, because of the cookies enabled, login page can be 'skipped' (user is redirected to default.aspx) and he wont obtain proper sessionID.
My question is whether there exists a possibility to check if user
a) came from login page (thus, has been redirected to default.aspx)
OR
b) formsAuthentication was performed basing on cookie data, not on username/password
Solution
Yes you can check what page a user came from using "request.UrlReferrer.ToString" and compare it to your login page URL.
OTHER TIPS
Assuming you redirect to a default.aspx page once the user logs in (such that page load now includes the authentication cookie from the redirected client), you would know whether or not they're authenticated using global.asax.cs' Application_AuthenticateRequest event":
protected void Application_AuthenticateRequest(Object oSender, EventArgs eA)
{
// Wire up authenticated principal with user information.
if (this.Request.IsAuthenticated == true)
{
// do something with this.User.Identity.Name to map to a "sessionid"
}
}
You ask about determining whether they just logged in and landed at the home as a redirected user, or they came to home (or any other view) directly using a browser-saved cookie, but I think it doesn't matter. If you're storing a user's extra authentication key as part of processing the login, perhaps you should be doing it in the AuthenticateRequest event for all accesses of protected pages. Note: that event gets fired for a lot (css files, images, whatever). You may want to ignore every kind of request except .aspx ones.
