Role authorization, if denied access, how NOT to kick back to login?

[Author]

In my asp.net 3.5 web application (in C#), I am using a custom
RoleProvider.

In order for only Admin users to be able to access the Admin folder, I
have this in my web.config

<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

It works.

But, when an non-Admin user tries to access anything under Admin, he
or she will be kicked back to the Login page.

This is undesirable. Ideally, the user should be kicked back to where
he or she was.

How to do this please? Thank you.

 

[Paul Shapiro]

Maybe another approach to avoid the issue works. If you're using the
built-in menu control, it has an option to do security group menu purging,
meaning that only admin users would see the admin menu items. I like that
better than controlling what happens when they request a page for which they
are not authorized. If a non-admin is guessing at trying to find admin page
urls, rather than picking from a menu, bumping back to the login page would
seem appropriate.

 

[Author]

Maybe another approach to avoid the issue works. If you're using the
built-in menu control, it has an option  to do security group menu purging,
meaning that only admin users would see the admin menu items. I like that
better than controlling what happens when they request a page for which they
are not authorized. If a non-admin is guessing at trying to find admin page
urls, rather than picking from a menu, bumping back to the login page would
seem appropriate.

Thank you.

I am already doing what you said, i.e., only admin users will see the
admin link. Like you said, I am logged in a non-admin user, and I am
trying to "hack into" the admin pages by entering the urls in the
address bar (and hit [Enter]).

I still think it's more user-friendly and logical to kick the me back
to where I was, for example, my profile page, instead of kicking me
back to the Login page because after all, I *am* logged in, then why
ask me to login again?

Any other experienced?

 

[Juan T. Llibre]

re:
!> the user should be kicked back to where he or she was

Capture the referring page's url.

Dim uriReferrer As System.Uri
uriReferrer = System.Web.HttpContext.Current.Request.UrlReferrer

....and redirect to it

Dim strPageToGoNow As String
If uriReferrer is Nothing
strPageToGoNow = "generic_error.aspx"
Else
strPageToGoNow = uriReferrer.AbsoluteUri
End If
Response.Redirect( strPageToGoNow )




Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
=========================

 

[Author]

You can get the current page using the referer (though this is not mandatory
so a browser could not provide this, not sure how many don't ; make perhaps
sure to handle the case where this info is not available depending on your
findings).
If you want a 100% bullet proof thing you'll likely have to track this by
yourself (it can be a bit harder than that with tab browsing).

The logic is that if you are trying to do something you are not allowed to,
you are supposed to have an account that would allow this (such as when
browsing to a network location you are not allowed, assuming this is really
what you want to do Windows shows a dialog so that you can connect with an
account that is allowed to go there).

As this is a "hacker thing" IMO this is more than acceptable (basically your
code should almost never run), actually I would likely choose to raise an
alert on this ;-)

--
Patrice

"Author" <[email protected]> a écrit dans le message de groupe de
discussion :
(e-mail address removed)...

Thank you for sharing. It sounds like that there is no easy way to get
what I want.

Kicking a logged-in user back to the Login screen sounds to me like
sending a park visitor back to the main entrace just because s/he
tries to get into the roller-coaster center (inside the park) without
buying a ticket for this center. Well, maybe as a punishment?

 

[Author]

re:
!> the user should be kicked back to where he or she was

Capture the referring page's url.

Dim uriReferrer As System.Uri
uriReferrer = System.Web.HttpContext.Current.Request.UrlReferrer

...and redirect to it

Dim strPageToGoNow As String
If uriReferrer is Nothing
strPageToGoNow = "generic_error.aspx"
Else
strPageToGoNow = uriReferrer.AbsoluteUri
End If
Response.Redirect( strPageToGoNow )

Juan T. Llibre, asp.net MVP
asp.net faq :http://asp.net.do/faq/

Thanks.

As this is done through web.config, I am not sure in what event
handler I need to code this. Any idea?

Thanks a lot.

 

[Juan T. Llibre]

re:
!> I am not sure in what event handler I need to code this.

Page_Load ...

You still have to filter the status code so the code only applies to 403 status code requests.




Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/
=========================

re:
!> the user should be kicked back to where he or she was

Capture the referring page's url.

Dim uriReferrer As System.Uri
uriReferrer = System.Web.HttpContext.Current.Request.UrlReferrer

...and redirect to it

Dim strPageToGoNow As String
If uriReferrer is Nothing
strPageToGoNow = "generic_error.aspx"
Else
strPageToGoNow = uriReferrer.AbsoluteUri
End If
Response.Redirect( strPageToGoNow )

Juan T. Llibre, asp.net MVP
asp.net faq : http://asp.net.do/faq/

Thanks.

As this is done through web.config, I am not sure in what event
handler I need to code this. Any idea?

Thanks a lot.

 

[Author]

re:
!> I am not sure in what event handler I need to code this.

Page_Load ...

You still have to filter the status code so the code only applies to 403 status code requests.

Juan T. Llibre, asp.net MVP
asp.net faq :http://asp.net.do/faq/

Gotcha, thanks. Will give it a try.