FormsAuthentication.RedirectFromLoginPage()

Discussion in 'ASP .Net Security' started by Mark Teague, Jun 23, 2006.

  1. Mark Teague

    Mark Teague Guest

    Greetings MS ASP.Net Community,

    I am using forms authentication for a site we've been developing. All users
    valid on our Windows domain are eligible to access the site, but are
    enrolled in the application upon initial login by insertion of a record into
    a [User] table located in a SQL Server database. Insertion of this record
    creates an "anonymous" machine generated user ID for them. (The system is a
    ride sharing / carpool application and implements a double blind messaging
    feature.) New users are also required to agree to the "Terms of Service"
    that our legal dept. has composed for this application. So, the login form
    is taking care of all of this for me. It only grants an authentication
    ticket after verifying that:

    1. the user is on the domain
    2. the user has been enrolled by insertion into the [User] table
    3. the user has agreed to the current "Terms of Service"

    Normally, an existing user is redirected from login to a default page
    showing their matching commuters (where they can message potential matches
    anonymously, etc.) However, when the user is a brand spanking new user who
    is accessing the site for the first time I would like to redirect them from
    the login page to a "welcome" page that informs them about their anonymous
    ID and the double-blind messaging feature, etc.

    The problem I seem to have is that when I manually add the cookie for the
    authentication ticket to the outgoing cookies collection and try to invoke a
    statement such as:

    Response.Redirect("Welcome.aspx", False)

    the user is not redirected, but receives the login page again.

    Is it possible to redirect from the login page to a page other than the one
    requested by the user ... i.e. FormsAuthentication.GetRedirectURL()?
    Seemingly, I can only redirect the user from the login page via:

    FormsAuthentication.RedirectFromLoginPage()

    Ok, I think that pretty much sums it up.

    Any help will be greatly appreciated.

    Sincerely,
    Mark
     
    Mark Teague, Jun 23, 2006
    #1
    1. Advertising

  2. Response.Redirect works.

    Maybe there is some problem in your cookie code and you get bounced back
    again to login.aspx....?!

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Greetings MS ASP.Net Community,
    >
    > I am using forms authentication for a site we've been developing. All
    > users valid on our Windows domain are eligible to access the site, but
    > are enrolled in the application upon initial login by insertion of a
    > record into a [User] table located in a SQL Server database.
    > Insertion of this record creates an "anonymous" machine generated user
    > ID for them. (The system is a ride sharing / carpool application and
    > implements a double blind messaging feature.) New users are also
    > required to agree to the "Terms of Service" that our legal dept. has
    > composed for this application. So, the login form is taking care of
    > all of this for me. It only grants an authentication ticket after
    > verifying that:
    >
    > 1. the user is on the domain
    > 2. the user has been enrolled by insertion into the [User] table
    > 3. the user has agreed to the current "Terms of Service"
    > Normally, an existing user is redirected from login to a default page
    > showing their matching commuters (where they can message potential
    > matches anonymously, etc.) However, when the user is a brand spanking
    > new user who is accessing the site for the first time I would like to
    > redirect them from the login page to a "welcome" page that informs
    > them about their anonymous ID and the double-blind messaging feature,
    > etc.
    >
    > The problem I seem to have is that when I manually add the cookie for
    > the authentication ticket to the outgoing cookies collection and try
    > to invoke a statement such as:
    >
    > Response.Redirect("Welcome.aspx", False)
    >
    > the user is not redirected, but receives the login page again.
    >
    > Is it possible to redirect from the login page to a page other than
    > the one requested by the user ... i.e.
    > FormsAuthentication.GetRedirectURL()? Seemingly, I can only redirect
    > the user from the login page via:
    >
    > FormsAuthentication.RedirectFromLoginPage()
    >
    > Ok, I think that pretty much sums it up.
    >
    > Any help will be greatly appreciated.
    >
    > Sincerely,
    > Mark
     
    Dominick Baier [DevelopMentor], Jun 23, 2006
    #2
    1. Advertising

  3. Mark Teague

    chris Guest

    Mark,

    First, is this 2.0 or 1.x? In 2.0 they have a CreateUserWizard control
    that you can set what URL you want to send them to after they
    successfully register with your site. In addition the Membership API
    helps to take care of managing all your users. But I am thinking,
    based on your post, that you are doing this in 1.x.

    I heard today at the VS Live show, that the cookies collection can be
    tricky, because it actually contains all of the incoming and outgoing
    cookies in the same collection. The way they handled this was to
    change the cookie directly in the Response.Headers["Cookies"]
    collection.

    All of this probably does not help, but it's late.

    Thanks,
    Chris
     
    chris, Jun 24, 2006
    #3
  4. Mark Teague

    Mark Teague Guest

    Thanks for your replies,

    It is the v1.1 Framework. That's interesting about both the incoming and outgoing cookies being the Response.Cookies collection. I would think that the incoming cookies should be a member of the Request object.

    Anyway, a check against Response.Cookies.Count just before the Redirect() reveals that there is one cookie in the collection.

    Now for what's really interesting! I created a test ASP.Net solution in another virtual directory on my local development machine and the following code works just fine in the login button's click() event handler:

    Dim authTicket As FormsAuthenticationTicket

    authTicket = New FormsAuthenticationTicket(txtUsername.Text, True, 60)

    ' Now encrypt the ticket.
    Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)

    ' Create a cookie and add the encrypted ticket to the
    ' cookie as data.
    Dim authCookie As HttpCookie = _
    New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)

    ' Add the cookie to the outgoing cookies collection.
    Response.Cookies.Add(authCookie)
    Response.Redirect("Welcome.aspx")

    But from my Carpool/RideShare application's virtual directory it acts as though the cookie for the authentication ticket was never written to the client. Subsequent requests get redirected to the login page.

    It's become a mystery! :)
    Mark
     
    Mark Teague, Jun 26, 2006
    #4
  5. Mark Teague

    Mark Teague Guest

    All,

    A co-worker helped me debug this problem earlier this morning and we discovered that it was definitely an issue with the authentication ticket cookie.

    In particular, I was encrypting the authentication ticket via the following overload (where the Groups string should have contained a comma seperated list of the domain groups to which the current user is a member). But the Groups string was a null reference because the call to initialize it via LDAP had been commented out:

    _authTicket = New FormsAuthenticationTicket(1, _
    _username, _
    DateTime.Now, _
    DateTime.Now.AddMinutes(60), _
    True, _
    Groups)

    Apparently, that causes the following statement that encrypts the ticket to return an empty string or a malformed authentication ticket.

    Dim encryptedTicket As String = FormsAuthentication.Encrypt(_authTicket)

    Initializing the Groups string to an empty string cured the problem.

    Thanks for your help!
    Mark
     
    Mark Teague, Jun 26, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. TaeHo Yoo
    Replies:
    1
    Views:
    534
    Teemu Keiski
    Jul 9, 2003
  2. Lauchlan M
    Replies:
    2
    Views:
    501
    John Saunders
    Aug 17, 2003
  3. Eric Broers
    Replies:
    1
    Views:
    815
    Steve C. Orr [MVP, MCSD]
    Nov 27, 2003
  4. Jacob Crossley
    Replies:
    0
    Views:
    418
    Jacob Crossley
    Apr 2, 2004
  5. Jacob Crossley
    Replies:
    0
    Views:
    341
    Jacob Crossley
    Apr 6, 2004
Loading...

Share This Page