I want to intercept the FormAuthentication 302 redirect code where it checks where a user is allowed to view a page or not and if he is not the module sends the user to '/login.aspx?ReturnURL="Requestedpage.aspx". I want to add custom query string here.
Edit: URL rewriting will not work for me. I want to intercept that code only. I want to set custom headers too from there.
Use URL Rewriting to set up a rule so that the URL /login.aspx?ReturnURL="Requestedpage.aspx is rewritten to whatever you require.
Related
General info:
I am working on an ASP.NET MVC 5 application that sends emails and tracks link-clicking from within each email. When some user follows a link, they performs a GET query to my web server with certain query parameters. Meanwhile, my application saves information about the click and redirects user to the initial (target) site.
Closer to the point:
The links in mails may be arbitrary (e.g. http://www.google.com, //google.com, www.google.com) or even not valid (e.g. ab//cd). My application doesn't care about the string values of urls (even if it's like \asdf//sadg:) and will simply paste them directly to the address bar.
For this purpose I tried to use Redirect and RedirectPermanent methods, and the UriBuilder class. Redirect and RedirectPermanent may combine addresses and try to redirect to the local path if the url is specified without a scheme. UriBuilder manages to add a scheme if needed, but it throws exceptions when the url is invalid. JavaScript location.replace has the same behavior as c# Redirect, by the way.
The issue:
How can I redirect to arbitrary urls from my ASP.NET MVC controller without any validations and redirects to local paths?
You should be able to use the Redirect() method and just pass in a string. I don't think it tries to validate the given URI as long as you pass it in as a string.
Tested and "works" (Browser receives the correct location header):
return Redirect("\asdf//sadg:");
If you want to do this "manually", you could do something like this to perform the redirect by yourself:
Response.AddHeader("Location","whateverurl");
HttpContext.Response.StatusCode = (int)HttpStatusCode.Moved;
return new ContentResult() { Content = String.Empty };
In an action method I want to redirect to a third party url. They collect some info from custom headers.
I have understood that I can not redirect the user, for example:
return RedirectResult(some url);
since the browser will not reattach my custom headers..
How do I do this? Is this a wrong approach?
They collect some info from custom headers.
So you can't redirect. You need to read their documentation. You're most likely expected to do an HTTP request to their server and show the user the response.
How to check using C# if "redirect" to "default document" happened?
For example, in browser I type URL: mysite.com/. When on server I check HttpContext.Current.Request.Url.AbsoluteUri, i receive mysite.com/default.aspx...
How I can get the exact URL that user has in his browser?
Thanks
EDIT: After some questions about the needs, I will give more details.
I have page with default.aspx with iframe inside of it. The iframe src is not the same origin (default.aspx is http and iframe content is https). On server side, i need to set the query string param to the src of iframe to include the exact URL that user has in browser. I need it in order to be able to set parent.location = parentURL + '#myparam' on iframe client side.
Currently everithing works fine, except when the request made to domain name without providing file name.
Try HttpContext.Current.Request.RawUrl
You typed
mysite.com/.
and you get
mysite.com/default.aspx...
Because you have set default.aspx as the default / Start up page in your site. The browser always redirect to the default page. I think when we type mysite.com the asp.net automatically appends the default page in the URL, so when we use Request.Url we get the mysite.com/default.aspx
Reading your intention of the IFrame, perhaps you are looking for Framset Script to determine the redirection ?
if (parent.location.href==window.location.href)
{
// you re-direction codes...
}
EDIT :
Giving a different HTTP and HTTPS, it's likely the Same Origin Policy kicked in. There is a workaround you could use PostMessage interface for cross sites.
Other option would be managed by Server(IIS) so that both http/https url request setting to default document , so that you don't need to alter client-side scripting for such complication handling.
You should delete 'Default.aspx' page from your IIS Default document list. then you get exact URL that user entered.
In my asp.net-mvc project I do a redirect from a post request to a get request.
In between my redirect and my arrival of the method I expect it to arrive, one of my parameters magically turns into null and I can't figure out why.
Probably it has something to do with my global.asax (route defenition).
The only way I can come up with to debug this is with the route debugger library. But I don't see how I can use it with a RedirectToRoute.
Any suggestions?
A little late to the party but this was the first hit on Google for an issue I was having so thought I'd share my experience.
I wanted to parse a RedirectToRouteResult to a URL so I can redirect to it at a later stage, but this class has no method to do this. You can, however, use UrlHelper.RouteUrl(), e.g:
Url.RouteUrl(redirectResult.RouteName, redirectResult.RouteValues);
where Url is property of Controller class.
A redirect is a result sent to the browser, and then the browser honors the redirect by doing a GET on the new URL. Therefore, look at the browser to see what the URL is. When the browser receives the redirect, it will do a GET on the new URL, which you can see with Firebug, Fiddler, or the tool of your choice.
Inside the new action, when it is called, you can also examine Request.Url.
In an aspx C#.NET page (I am running framework v3.5), I need to know where the user came from since they cannot view pages without logging in. If I have page A (the page the user wants to view) redirect to page B (the login page), the Request.UrlReferrer object is null.
Background: If a user isn't logged in, I redirect to the Login page (B in this scenario). After login, I would like to return them to the page they were requesting before they were forced to log in.
UPDATE:
A nice quick solution seems to be:
//if user not logged in
Response.Redirect("..MyLoginPage.aspx?returnUrl=" + Request.ServerVariables["SCRIPT_NAME"]);
Then, just look at QueryString on login page you forced them to and put the user where they were after successful login.
UrlReferrer is based off the HTTP_REFERER header that a browser should send. But, as with all things left up to the client, it's variable.
I know some "security" suites (like Norton's Internet Security) will strip that header, in the belief that it aids tracking user behavior. Also, I'm sure there's some Firefox extensions to do the same thing.
Bottom line is that you shouldn't trust it. Just append the url to the GET string and redirect based off that.
UPDATE: As mentioned in the comments, it is probably a good idea to restrict the redirect from the GET parameter to only work for domain-less relative links, refuse directory patterns (../), etc. So still sanity check the redirect; if you follow the standard "don't use any user-supplied input blindly" rule you should be safe.
If you use the standard Membership provider, and set the Authorization for the directory/page, the code will automatically set a query parameter of ReturnUrl and redirect after a successfull login.If you don't want to use the Membership provider pattern, I would suggest manually doing the query string parameter thing as well. HTTP referrers are not very reliable.
The problem could be related on how you redirect the user to some other page. Anyways, the referer url is nothing you should take as absolute rule - a client can fake it easily.
What you're looking for is best done with a query string variable (e.g. returnURL or originURL). Referrer is best used for data mining operations as it's very unreliable.
See the way ASP.Net does redirection with logins for an example.