«

Hi there,

I was wondering if anyone would be able to shed some light on the
following behaviour for me.

I have an application that is using Forms Authentication with
non-persistent cookies, a forms timeout of 10 minutes, and a
FormsAuthenticationTicket Expiration of 10 minutes. Almost everything is
working as expected... when users try to enter restricted parts of the
site they are redirected to the login.aspx page that I have specified in
order to authenticate themselves. Once authenticated they are returned
successfully to the originally requested page.

(aside: I am able to do this using a call to
Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text,
false)); or FormsAuthentication.RedirectFromLoginPage(txtUserN ame.Text,
false); - either method works.)

If the timeout expires and the user then wishes to access some
restricted content again, they are booted back to the login page
(obviously, this is supposed to happen). The part that doesn't work as
expected is as follows:

After this timeout, once the user then successfully
authenticates themself again they do not get redirected to the page they
were trying for, instead they are redirected to default.aspx at the root
of the application.

I noticed that there is no ReturnUrl parameter present in the query
string when redirected to the login page following an authentication
timeout.

Hope to hear from someone.

Regards,

Danny


*** Sent via Devdex http://www.devdex.com ***
Don't just participate in USENET...get rewarded for it!

Danny wrote:

> Hi there,
>
> I was wondering if anyone would be able to shed some light on the
> following behaviour for me.
>
> I have an application that is using Forms Authentication with
> non-persistent cookies, a forms timeout of 10 minutes, and a
> FormsAuthenticationTicket Expiration of 10 minutes. Almost everything is
> working as expected... when users try to enter restricted parts of the
> site they are redirected to the login.aspx page that I have specified in
> order to authenticate themselves. Once authenticated they are returned
> successfully to the originally requested page.
>
> (aside: I am able to do this using a call to
> Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text,
> false)); or FormsAuthentication.RedirectFromLoginPage(txtUserN ame.Text,
> false); - either method works.)
>
> If the timeout expires and the user then wishes to access some
> restricted content again, they are booted back to the login page
> (obviously, this is supposed to happen). The part that doesn't work as
> expected is as follows:
>
> After this timeout, once the user then successfully
> authenticates themself again they do not get redirected to the page they
> were trying for, instead they are redirected to default.aspx at the root
> of the application.
>
> I noticed that there is no ReturnUrl parameter present in the query
> string when redirected to the login page following an authentication
> timeout.
>
> Hope to hear from someone.
>
> Regards,
>
> Danny
>
>
> *** Sent via Devdex http://www.devdex.com ***
> Don't just participate in USENET...get rewarded for it!

Are they (the users) sometimes doing a postback after the timeout,
instead of doing a GET for a page; is that the scenario that breaks?
Could be that .NET doesn't populate ReturnUrl if it's a POST that is
being done 'illegally', as it can't really 'put you back where you were'
after logging back in. Now if you were clicking on a simple link (a
GET), it knows it can put you back in that exact spot.

Just a guess...

--
Craig Deelsnyder
Microsoft MVP - ASP/ASP.NET