July 11, 2007 - 16:03 UTC - Tags: .NET ASP.NET authentication authorization login
I guess this happens to lots of people because I found a lot of writing about it after searching google, but I didn't find any solution I could fully use. So I created a version that should work in most cases.
The problem
You have created a web application using forms authentication. You have setup a login page (Login.aspx) where the user can log in using his username and password. Once the user is logged in, you display some information and then redirect the user to whatever the returnUrl parameter says. You have also defined Login.aspx in web.config as the login page:
A user logs in to your site, and tries to access a resource that he/she does not have access to. The ASP.NET framwork redirects the user to Login.aspx to authenticate once again (Login.aspx?returnUrl=some/secure/resource), but Login.aspx sees the user as logged in, and tries to redirect the user back to the returnUrl (some/secure/resource), which again redirects to the login page. We have a loop.
The solution
ASP.NET allows you to create HTTP handlers, which are of type System.Web.IHttpHandler. These handlers can handle http-request and send back data or redirect to another URL. HTTP handlers are mapped in web.config. We add an HTTP handler called Login.ashx to handle our logins:
Next we change out login URL to point to the HTTP handler:
The HTTP handler class is pretty simple. All it has to do is check if the user is logged in or not, and redirect to the proper page. We can also make sure that we access the actual login page over SSL:
The problem
You have created a web application using forms authentication. You have setup a login page (Login.aspx) where the user can log in using his username and password. Once the user is logged in, you display some information and then redirect the user to whatever the returnUrl parameter says. You have also defined Login.aspx in web.config as the login page:
<authentication mode="Forms">
<forms loginUrl="Login.aspx">
</forms>
</authentication>A user logs in to your site, and tries to access a resource that he/she does not have access to. The ASP.NET framwork redirects the user to Login.aspx to authenticate once again (Login.aspx?returnUrl=some/secure/resource), but Login.aspx sees the user as logged in, and tries to redirect the user back to the returnUrl (some/secure/resource), which again redirects to the login page. We have a loop.
The solution
ASP.NET allows you to create HTTP handlers, which are of type System.Web.IHttpHandler. These handlers can handle http-request and send back data or redirect to another URL. HTTP handlers are mapped in web.config. We add an HTTP handler called Login.ashx to handle our logins:
<location path="Login.ashx">
<system.web>
<httpHandlers>
<add verb="*" path="Login.ashx" type="My.NameSpace.LoginHandler" validate="true" />
</httpHandlers>
</system.web>
</location>Next we change out login URL to point to the HTTP handler:
<authentication mode="Forms">
<forms loginUrl="Login.ashx">
</forms>
</authentication>The HTTP handler class is pretty simple. All it has to do is check if the user is logged in or not, and redirect to the proper page. We can also make sure that we access the actual login page over SSL:
namespace My.NameSpace
{
public class LoginHandler : IHttpHandler, IRequiresSessionState
{
public void ProcessRequest(HttpContext context)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
context.Response.Redirect("/NotAuthorized.aspx");
}
else
{
string loginUrl = "https://" + context.Request.Url.DnsSafeHost + "/Login.aspx";
if (!string.IsNullOrEmpty(context.Request.Params["returnUrl"]))
{
loginUrl = loginUrl + "?returnUrl=" + HttpUtility.UrlEncode(context.Request.Params["returnUrl"]);
}
context.Response.Redirect(loginUrl);
}
}
public bool IsReusable
{
get { return true; }
}
}
}
August 29, 2007 - 13:28 UTC
Ton
Isn't this easier?
I've solved this problem by adding the following to my login code-behind.
protected void Page_Load(object sender, EventArgs e)
{
if (Request.IsAuthenticated && !IsPostBack)
{
Response.Redirect("/NotAuthorized.aspx");
}
}
August 29, 2007 - 15:00 UTC
Re: Isn't this easier?
We tried that first in our case, but we had some issues there because we needed to show some information which non-postback request. But I guess you solution will work in many cases.
June 12, 2008 - 00:10 UTC
Innovative
Although it’s a year later, I came across this searching for a fix with Themes. The first one is actually better and for a few reasons. IHttpHandlers bypass all the overhead an aspx page causes, so the request and response resolves much faster.Also, with cookieless sessions its best to use IHttpHandlers on a logout because you can clear the session info from the URL before sending it back. Of course you want to clear and abandon every session when you are finished with it anyway. The session information that is sent back is a dead session and respectively harmless. Still, if you don’t want the dead session carried along, clearing a response first generally will take care of it. FYI – if anyone plans to use IHttpHandlers to handle sessionState like information and/or activity, in addition to implementing the IHttpHandler interface, you are also going to want to implement the IRequiresSessionState interface.
Lastly, an interesting issue that made me go hunting again for a solution similar to this was Themes. If you use Themes and then have say a logout page that simply logouts out a users, you need to add a head server tag so the page knows to at least use a default theme if there was nothing set. So instead of going down the path of outfitting pages with common aspx page load behavior on a page that does nothing visually, we switched to IHttpHandlers.
Hope this is helpful. I did my good deed for the day.
www.plmmicrosolutions.com
June 13, 2008 - 09:13 UTC
Re: Innovative
Interesting comment. Thanks, Jason.
May 12, 2010 - 22:28 UTC
After I sign-in I'm looped back to the log-in page (yahoo mail)
Sir i have reported to yahoo mail service but they did not response me still. I can't enter into my account even into my yahoo mail. My ID is correct (greenberet133@yahoo.com) and password is also correct than i looped back into login page. Can you please solve this problem. The current e-mail that is in my use is (heart_free_kick@yahoo.com) please do something.
May 12, 2010 - 22:29 UTC
After I sign-in I'm looped back to the log-in page (yahoo mail)
Sir i have reported to yahoo mail service but they did not response me still. I can't enter into my account even into my yahoo mail. My ID is correct (greenberet133@yahoo.com) and password is also correct than i looped back into login page. Can you please solve this problem. The current e-mail that is in my use is (heart_free_kick@yahoo.com) please do something.
May 23, 2010 - 22:23 UTC
Re: After I sign-in I'm looped back to the log-in page (yahoo mail)
Sorry, but you're going to have to talk to yahoo mail service about that. I can't help unfortunately. The only tip I can give is to try to clear your browser cookies.
August 3, 2010 - 07:34 UTC
Great work from you,I Was designing my first site today and this article helped me resolve the issue i was facing..if people like you keep posting this way..others can stay happy..thanks for sharing
<a href="http://www.sampleforms.org/category/authorization-forms">Authorization Forms</a>
<a href="http://www.sampleforms.org/category/authorization-forms">Authorization Forms</a>
September 15, 2010 - 05:43 UTC
After I sign-in I'm looped back to the log-in page
When I contact Yahoo Help I simply get into another loop. This is not just my problem because the first sentence was copied from a "known problems" list. Clicking that problem sends you to clearing cookies, etc. Believe me, that does NOT solve the problem. FRUSTRATED!!
When I contact Yahoo Help I simply get into another loop. This is not just my problem because the first sentence was copied from a "known problems" list. Clicking that problem sends you to clearing cookies, etc. Believe me, that does NOT solve the problem. FRUSTRATED!!
September 15, 2010 - 08:22 UTC
@PATC: I have NOTHING whatsoever to do with Yahoo, so there is nothing I can do to help. Sorry
November 19, 2010 - 08:44 UTC
Great work from you,I Was designing my first site today and this article helped me resolve the issue i was facing..if people like you keep posting this way..others can stay happy..thanks for sharing!
<a href="http://top10boxofficemovies.blogspot.com/" target="_blank">Movies</a>
<a href="http://top10boxofficemovies.blogspot.com/" target="_blank">Movies</a>
March 25, 2011 - 22:32 UTC
I tried it. I tried after removing cookies. I also did complaints to yahoo service. Since that i am trying but i looped back onto yahoo main page without entering my mail.
About Erlend
Security guy with some thoughts on secure development.
Tag cloud
Categories
Blogroll
