Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > FormsAuthentication.RedirectFromLoginPage()

Reply
Thread Tools

FormsAuthentication.RedirectFromLoginPage()

 
 
Mark Teague
Guest
Posts: n/a
 
      06-23-2006
Greetings MS ASP.Net Community,

I am using forms authentication for a site we've been developing. All users
valid on our Windows domain are eligible to access the site, but are
enrolled in the application upon initial login by insertion of a record into
a [User] table located in a SQL Server database. Insertion of this record
creates an "anonymous" machine generated user ID for them. (The system is a
ride sharing / carpool application and implements a double blind messaging
feature.) New users are also required to agree to the "Terms of Service"
that our legal dept. has composed for this application. So, the login form
is taking care of all of this for me. It only grants an authentication
ticket after verifying that:

1. the user is on the domain
2. the user has been enrolled by insertion into the [User] table
3. the user has agreed to the current "Terms of Service"

Normally, an existing user is redirected from login to a default page
showing their matching commuters (where they can message potential matches
anonymously, etc.) However, when the user is a brand spanking new user who
is accessing the site for the first time I would like to redirect them from
the login page to a "welcome" page that informs them about their anonymous
ID and the double-blind messaging feature, etc.

The problem I seem to have is that when I manually add the cookie for the
authentication ticket to the outgoing cookies collection and try to invoke a
statement such as:

Response.Redirect("Welcome.aspx", False)

the user is not redirected, but receives the login page again.

Is it possible to redirect from the login page to a page other than the one
requested by the user ... i.e. FormsAuthentication.GetRedirectURL()?
Seemingly, I can only redirect the user from the login page via:

FormsAuthentication.RedirectFromLoginPage()

Ok, I think that pretty much sums it up.

Any help will be greatly appreciated.

Sincerely,
Mark



 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      06-23-2006
Response.Redirect works.

Maybe there is some problem in your cookie code and you get bounced back
again to login.aspx....?!

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Greetings MS ASP.Net Community,
>
> I am using forms authentication for a site we've been developing. All
> users valid on our Windows domain are eligible to access the site, but
> are enrolled in the application upon initial login by insertion of a
> record into a [User] table located in a SQL Server database.
> Insertion of this record creates an "anonymous" machine generated user
> ID for them. (The system is a ride sharing / carpool application and
> implements a double blind messaging feature.) New users are also
> required to agree to the "Terms of Service" that our legal dept. has
> composed for this application. So, the login form is taking care of
> all of this for me. It only grants an authentication ticket after
> verifying that:
>
> 1. the user is on the domain
> 2. the user has been enrolled by insertion into the [User] table
> 3. the user has agreed to the current "Terms of Service"
> Normally, an existing user is redirected from login to a default page
> showing their matching commuters (where they can message potential
> matches anonymously, etc.) However, when the user is a brand spanking
> new user who is accessing the site for the first time I would like to
> redirect them from the login page to a "welcome" page that informs
> them about their anonymous ID and the double-blind messaging feature,
> etc.
>
> The problem I seem to have is that when I manually add the cookie for
> the authentication ticket to the outgoing cookies collection and try
> to invoke a statement such as:
>
> Response.Redirect("Welcome.aspx", False)
>
> the user is not redirected, but receives the login page again.
>
> Is it possible to redirect from the login page to a page other than
> the one requested by the user ... i.e.
> FormsAuthentication.GetRedirectURL()? Seemingly, I can only redirect
> the user from the login page via:
>
> FormsAuthentication.RedirectFromLoginPage()
>
> Ok, I think that pretty much sums it up.
>
> Any help will be greatly appreciated.
>
> Sincerely,
> Mark



 
Reply With Quote
 
 
 
 
chris
Guest
Posts: n/a
 
      06-24-2006
Mark,

First, is this 2.0 or 1.x? In 2.0 they have a CreateUserWizard control
that you can set what URL you want to send them to after they
successfully register with your site. In addition the Membership API
helps to take care of managing all your users. But I am thinking,
based on your post, that you are doing this in 1.x.

I heard today at the VS Live show, that the cookies collection can be
tricky, because it actually contains all of the incoming and outgoing
cookies in the same collection. The way they handled this was to
change the cookie directly in the Response.Headers["Cookies"]
collection.

All of this probably does not help, but it's late.

Thanks,
Chris

 
Reply With Quote
 
Mark Teague
Guest
Posts: n/a
 
      06-26-2006
Thanks for your replies,

It is the v1.1 Framework. That's interesting about both the incoming and outgoing cookies being the Response.Cookies collection. I would think that the incoming cookies should be a member of the Request object.

Anyway, a check against Response.Cookies.Count just before the Redirect() reveals that there is one cookie in the collection.

Now for what's really interesting! I created a test ASP.Net solution in another virtual directory on my local development machine and the following code works just fine in the login button's click() event handler:

Dim authTicket As FormsAuthenticationTicket

authTicket = New FormsAuthenticationTicket(txtUsername.Text, True, 60)

' Now encrypt the ticket.
Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)

' Create a cookie and add the encrypted ticket to the
' cookie as data.
Dim authCookie As HttpCookie = _
New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)

' Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie)
Response.Redirect("Welcome.aspx")

But from my Carpool/RideShare application's virtual directory it acts as though the cookie for the authentication ticket was never written to the client. Subsequent requests get redirected to the login page.

It's become a mystery!
Mark

 
Reply With Quote
 
Mark Teague
Guest
Posts: n/a
 
      06-26-2006
All,

A co-worker helped me debug this problem earlier this morning and we discovered that it was definitely an issue with the authentication ticket cookie.

In particular, I was encrypting the authentication ticket via the following overload (where the Groups string should have contained a comma seperated list of the domain groups to which the current user is a member). But the Groups string was a null reference because the call to initialize it via LDAP had been commented out:

_authTicket = New FormsAuthenticationTicket(1, _
_username, _
DateTime.Now, _
DateTime.Now.AddMinutes(60), _
True, _
Groups)

Apparently, that causes the following statement that encrypts the ticket to return an empty string or a malformed authentication ticket.

Dim encryptedTicket As String = FormsAuthentication.Encrypt(_authTicket)

Initializing the Groups string to an empty string cured the problem.

Thanks for your help!
Mark

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Advertisments