Can't get access with some role logins - on IIS 6 only

Discussion in 'ASP .Net Security' started by David Thielen, Oct 17, 2006.

  1. Hi;

    This is turning into a major PITA. Someone is in the admin part of our web
    app and they logout to login back in without admin privleges (least
    privleges). They enter their uname/pw and what happens???

    It tries to go back to the page they were last on - which is almost always
    an admin only page. They are not allowed there ands so are kicked to the
    login page. And we get reports that our permissions are broken.

    How can I set it so if a user is loged in but not allowed on a page, it
    redirects to default.aspx instead? This is a major usability issue.

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm
     
    David Thielen, Oct 17, 2006
    #1
    1. Advertising

  2. you can write a module to handle end_request and check for a combination
    of 401 status code and if the user is authenticated or not.

    The problem is that FormsAuthentication will convert the 401 to a 302 to
    the login page. That means that you have to modify the <httpModules> section
    to make your module called first (the order of that list decides in which
    order modules are called that subscribe to the same event).

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > Hi;
    >
    > This is turning into a major PITA. Someone is in the admin part of our
    > web app and they logout to login back in without admin privleges
    > (least privleges). They enter their uname/pw and what happens???
    >
    > It tries to go back to the page they were last on - which is almost
    > always an admin only page. They are not allowed there ands so are
    > kicked to the login page. And we get reports that our permissions are
    > broken.
    >
    > How can I set it so if a user is loged in but not allowed on a page,
    > it redirects to default.aspx instead? This is a major usability issue.
    >
    > Cubicle Wars - http://www.windwardreports.com/film.htm
    >
     
    Dominick Baier, Oct 17, 2006
    #2
    1. Advertising

  3. Thanks for Dominick's input.

    Hi Dave,

    Use custom httpmodule and change the response status may make it a bit
    complex. My concern here is why would your user be redirect to the login
    page after he login the second time(with a non-admin) account. He is try
    to request an admin-only page, correct? If this is the case, I think it is
    reasonable to redirect him to the login page since a non-admin user should
    not request a admin-only page.

    Actually, after the login control correctly validate the user, it will call
    FormsAuthentication.GetRedirectUrl to get the url which it will reirect the
    user toward later. So for your scenario, when a non-admin user originally
    request a admin-only page, and is redirect to the login page, he will go
    through the following steps:

    1. first time go to login page, the Context.User.Identity.IsAuthenticated
    == false (because hasn't login)

    2. After login, the login control automatically redirect user to the
    original requested page

    3.since this page is admin-only, the user is redirected to login page
    again. However, this time, Context.User.Identity.IsAuthenticated ==
    true(because he has already login , but hasn't sufficient permission)

    Then, we can find that what we can do is check the
    Context.User.Identity.IsAuthenticated to determine whether the current
    login redirect is due to unauthenticated or lack of permission. If the
    user is already authenticated, you can manually redirect him to the default
    page instead. You can do this in the login control's "OnLoggedIn" event
    ..e.g

    ===================
    protected void Login1_LoggedIn(object sender, EventArgs e)
    {
    if (User.Identity.IsAuthenticated)
    {
    Response.Redirect(ResolveUrl("~/default.aspx"));
    }
    }
    =====================

    Hope this helps.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    ==================================================

    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.



    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.

    ==================================================



    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Oct 17, 2006
    #3
  4. Brilliant!!!

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm




    "Steven Cheng[MSFT]" wrote:

    > Thanks for Dominick's input.
    >
    > Hi Dave,
    >
    > Use custom httpmodule and change the response status may make it a bit
    > complex. My concern here is why would your user be redirect to the login
    > page after he login the second time(with a non-admin) account. He is try
    > to request an admin-only page, correct? If this is the case, I think it is
    > reasonable to redirect him to the login page since a non-admin user should
    > not request a admin-only page.
    >
    > Actually, after the login control correctly validate the user, it will call
    > FormsAuthentication.GetRedirectUrl to get the url which it will reirect the
    > user toward later. So for your scenario, when a non-admin user originally
    > request a admin-only page, and is redirect to the login page, he will go
    > through the following steps:
    >
    > 1. first time go to login page, the Context.User.Identity.IsAuthenticated
    > == false (because hasn't login)
    >
    > 2. After login, the login control automatically redirect user to the
    > original requested page
    >
    > 3.since this page is admin-only, the user is redirected to login page
    > again. However, this time, Context.User.Identity.IsAuthenticated ==
    > true(because he has already login , but hasn't sufficient permission)
    >
    > Then, we can find that what we can do is check the
    > Context.User.Identity.IsAuthenticated to determine whether the current
    > login redirect is due to unauthenticated or lack of permission. If the
    > user is already authenticated, you can manually redirect him to the default
    > page instead. You can do this in the login control's "OnLoggedIn" event
    > .e.g
    >
    > ===================
    > protected void Login1_LoggedIn(object sender, EventArgs e)
    > {
    > if (User.Identity.IsAuthenticated)
    > {
    > Response.Redirect(ResolveUrl("~/default.aspx"));
    > }
    > }
    > =====================
    >
    > Hope this helps.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    >
    > ==================================================
    >
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    >
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >
    > ==================================================
    >
    >
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    >
     
    David Thielen, Oct 17, 2006
    #4
  5. Major problem - the user is not authenticated when that event handler is
    called. It should be - but it isn't.

    However, the following works great:

    protected void Page_Load(object sender, EventArgs e)
    {

    if (! IsPostBack)
    {
    // will come here if logged in but went to a page not allowed on. In that
    case go to default
    if (User.Identity.IsAuthenticated &&
    PortalRole.IsInRole(PortalRole.ROLES.USER))
    Response.Redirect(ResolveUrl("~/default.aspx"));
    }
    }


    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm




    "Steven Cheng[MSFT]" wrote:

    > Thanks for Dominick's input.
    >
    > Hi Dave,
    >
    > Use custom httpmodule and change the response status may make it a bit
    > complex. My concern here is why would your user be redirect to the login
    > page after he login the second time(with a non-admin) account. He is try
    > to request an admin-only page, correct? If this is the case, I think it is
    > reasonable to redirect him to the login page since a non-admin user should
    > not request a admin-only page.
    >
    > Actually, after the login control correctly validate the user, it will call
    > FormsAuthentication.GetRedirectUrl to get the url which it will reirect the
    > user toward later. So for your scenario, when a non-admin user originally
    > request a admin-only page, and is redirect to the login page, he will go
    > through the following steps:
    >
    > 1. first time go to login page, the Context.User.Identity.IsAuthenticated
    > == false (because hasn't login)
    >
    > 2. After login, the login control automatically redirect user to the
    > original requested page
    >
    > 3.since this page is admin-only, the user is redirected to login page
    > again. However, this time, Context.User.Identity.IsAuthenticated ==
    > true(because he has already login , but hasn't sufficient permission)
    >
    > Then, we can find that what we can do is check the
    > Context.User.Identity.IsAuthenticated to determine whether the current
    > login redirect is due to unauthenticated or lack of permission. If the
    > user is already authenticated, you can manually redirect him to the default
    > page instead. You can do this in the login control's "OnLoggedIn" event
    > .e.g
    >
    > ===================
    > protected void Login1_LoggedIn(object sender, EventArgs e)
    > {
    > if (User.Identity.IsAuthenticated)
    > {
    > Response.Redirect(ResolveUrl("~/default.aspx"));
    > }
    > }
    > =====================
    >
    > Hope this helps.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    >
    > ==================================================
    >
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    >
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >
    > ==================================================
    >
    >
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    >
     
    David Thielen, Oct 17, 2006
    #5
  6. Thanks for the additional followup and sharing your new solution.

    Good luck:)

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Oct 18, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Stocholm
    Replies:
    2
    Views:
    8,118
    John Saunders
    Aug 23, 2003
  2. Liet Kynes
    Replies:
    0
    Views:
    495
    Liet Kynes
    Nov 26, 2003
  3. ad
    Replies:
    2
    Views:
    723
  4. Kursat
    Replies:
    1
    Views:
    320
    Dominick Baier
    May 7, 2007
  5. ThunderMusic
    Replies:
    1
    Views:
    154
    ThunderMusic
    Feb 22, 2007
Loading...

Share This Page