Some of my pages are restricted only to loggedIn users. When the one tries to enter that page I redirect him to the login page. Then after successful login I would like to redirect him to the previously desired page.
Where can I keep that url ?
I cant use session mechanism
Thank You very much for help
You can put it in the QueryString like Asp.Net Membership does.
http://www.example.com/Login?returnUrl=/home/
Put it in the querystring e.g.
http://www.mysite.com/login.aspx?RedirectUrl=SomeRestrictedPage.aspx
I would argue that the "best" way is to not remember that URL at all, but instead to pass it as a query string value to the login page. It's a more stateless approach.
When you redirect the user to the login page, you can URL encode the path to the redirecting page and add it to the query string in the redirect. Then, in your login page, check for that value. If the value exists (and passes any validation you wish to add, such as ensuring that it's a relative path to your own site and is a valid page, etc.), redirect the user to that page. If it doesn't exist, redirect to a default page.
Just use forms auth and use the built in ReturnUrl:
Explained: Forms Authentication in ASP.NET 2.0
Cookieless Forms Authentication
ASP.NET 2.0 supports cookieless forms authentication. This feature is
controlled by the cookieless attribute of the forms element. This
attribute can be set to one of the following four values:
UseCookies. This value forces the FormsAuthenticationModule class
to use cookies for transmitting the authentication ticket.
UseUri. This value directs the FormsAuthenticationModule class to
rewrite the URL for transmitting the authentication ticket.
UseDeviceProfile. This value directs the FormsAuthenticationModule
class to look at the browser capabilities. If the browser supports
cookies, then cookies are used; otherwise, the URL is rewritten.
AutoDetect. This value directs the FormsAuthenticationModule class
to detect whether the browser supports cookies through a dynamic
detection mechanism. If the detection logic indicates that cookies are
not supported, then the URL is rewritten.
If your application is configured to use cookieless forms
authentication and the FormsAuthentication.RedirectFromLoginPage
method is being used, then the FormsAuthenticationModule class
automatically sets the forms authentication ticket in the URL. The
following code example shows what a typical URL looks like after it
has been rewritten:
http://localhost/CookielessFormsAuthTest/(F(-k9DcsrIY4CAW81Rbju8KRnJ5o_gOQe0I1E_jNJLYm74izyOJK8GWdfoebgePJTEws0Pci7fHgTOUFTJe9jvgA2))/Test.aspx
Related
I have a website with two different domain.
us.site.com
usa.site.com
Now when user Click on Login
It first check its country. According to country I want to redirect whole site on that url and that time it not again asks for account id and password. so i want to maintain these things but it should not visible in Url.
Please Suggest me any way to do this.
I don't want to use QueryString and Cookie
Posting my comment as an answer.
Basic idea as following. You can use cookies. On login, create a cookie for "site.com" having user information. When user redirects to for say login to usa.site.com, check the cookies in pageload. If you found the cookies read the cookies and convert it to session. Use session further to check loogged in user information.
Related question link,
How can you keep a session across multiple subdomains in c# mvc?
How can I share a session across multiple subdomains in ASP.NET?
Write cookies from subdomain and read from another subdomain without changing web.config
To make cookie secure use encryption.
Reference :
http://www.codeproject.com/Articles/13665/HttpSecureCookie-A-Way-to-Encrypt-Cookies-with-ASP
Encrypt cookies in ASP.NET
http://www.c-sharpcorner.com/UploadFile/manishkdwivedi/encrypting-and-decrypting-cookies-in-Asp-Net-2-0/
Use MD5/SHA Encryption to store value in cookie and once you redirect to other page then use decryption Algo and use that cookie value.
It will solve your issue.. Check below link for reference -
http://www.codeproject.com/Articles/38951/How-To-Hash-Data-Using-MD-and-SHA
http://www.codeproject.com/Articles/14150/Encrypt-and-Decrypt-Data-with-C
http://www.codeproject.com/Articles/12602/Using-MD-Encryption-with-C-and-MSSQL
Or you can use alternative way to store value in database temp table
I want to use the domain: aaaa.com to have a login form for the site at domain: cccc.com.
Note, I have full control of the server at cccc.com and have setup CORS on the server at cccc.com. I essentially have full control of the server at aaaa.com as well.
I am using jquery's $.ajax to send a POST to the cccc.com asp.net mvc 3 server. It looks like I get the right response back and I see the ASP.NET_SessionId and .ASPXAUTH cookies in the response. When I get the correct response in javascript with no login errors, I want to redirect to cccc.com/Home/Index using window.location. Everything seems to be working up to this point. Authentication, getting a correct response, etc. However when javascript redirects, cccc.com still wants me to login again. Why is this happening?
Is it because the authentication cookies belong to aaa.com? How can I work around this?
Thanks
Yes, the authentication cookies will belong to the other site, and are not shared.
If you had a subdomain of cccc.com instead of a completely separate domain, it would work if you set a domain-wide cookie.
As it is though, you will have to copy the cookie upon login, logout, and any other authentication methods that modify how the cookie is stored. If you're on a different server, you would also lose your ability to do sessions unless you have a session state server.
You could try copying the auth cookies with javascript after your POST to log in completes.
My iis folder structure is like
Default Web Site---->online and Accessing with www.sitename.com/online
Default Web Site---->trade and Accessing with www.sitename.com/trade
Default Web Site---->private and Accessing with www.sitename.com/private
Here the login page is residing inside "Default Web Site---->trade/Login.aspx".When user enter
www.sitename.com/online or www.sitename.com/private or www.sitename.com/trade he/she will be redirecting to the url www.sitename.com/trade/Login.aspx.
So my need is when user enter "www.sitename.com/online" he/she should remain in the same URL as www.sitename.com/online and not "www.sitename.com/trade/Login.aspx".So how can i maintain the URL that user entered.
Thanks,
Joby
Best way to do this is pass a parameter w/ original url in your redirect to login page, and then have login redirect you back to that original url
Location: http://example.com/login?ref=http%3A%2F%2Fexample.com%2Ffoo
Then after login, you read "ref" parameter and do a location redirect back.
If you are using built-in membership provider, then you may use [Authorize] attribute, that has an functionality to redirect the user to original page, after user gets authenticated system will automatically redirect the user to requested page.
Or you may try following solution:
Something like this:
www.sitename.com/trade/Login.aspx?ReturnUrl=http%3A%2F%2Fsitemap.com%2Fonline
After user gets authenticated, you may redirect the user to requested page.
Response.Redirect(Request.QueryString["ReturnUrl"]);
Consider using MVC or at least routing portion of it with ASPX pages to render views. This way you can have any Urls you want unrelated to physical file names.
Users rarely enter any urls... and I'm not really sure anyone cares as long as Url makes some sence (or complete noncense). So I think it is perfectly ok to render login page at something like /login and than redirect back to originating page. You can save original url in query string (as #chovy suggests) or hidden element on the page if login never leaves your site. If login leaves your site (i.e. for OAuth authentication) thatn session state or cookies may be place to store return Url.
I have a VS 2011 solution file with two projects, each is a project file for a web app. One is an older version of the application and the other is a newer version. When a user signs in to the older version, depending on their membership, they might be redirected to the new version. When they do land on the new website, they should not have to go through authentication, instead go directly to their page within the app.
To handle this, I am using response.redirect from the older application along with a querystring indicating that the user has been authenticated.
code in older version:
Response.Redirect(sURL + "?Auth=" + sAuth, false);
I am checking for the querystring on the page_load event of the login.aspx.cs of the new app (something like "if querystring authentication = true then continue to next page"). However, I still get the login page.
Code on page_load event of new app:
if (Page.IsCrossPagePostBack)
{
string sAuthenticate = Request.QueryString.Get("Auth").ToString();
if (sAuthenticate == "1")
{
ByPassAuthentication();
}
}
How can I bypass the login page?
Assuming that this is a FormsAuthentication site, ASP.Net will automatically return the user to the login page is they have not been logged into FormsAuthentication.
So you will have to, at the very least, pass the user's login name as well.
Since you are passing this on the querystring, you will have to be very careful to ensure that only your response.redirect is processed as a valid request. You don't want any user to be able to login by figuring out what the query string parameter is and logging in as the CEO of the company.
We do this by encrypting a combination of the user name and the current time, then on the receiving end, we decrypt and compare the timestamp. If it is outside the tolerance (say 2 minutes), we deny the login request.
You can debug this by right clicking on your solution, click Properties, then start your two projects. Have a look here Running two projects at once in Visual Studio. Of course put a break point on both projects
Maybe single sign on will help you, check out my question and answer here.
Single Sign On
You could try checking the "IsCrossPagePostBack" property on the new page.. then you'd know if the post back was a redirection.
You need to authenticate the user once you've entered the 'new' site. Assuming your using .NET Forms authentication, you're probably setting an Authentication cookie with code like this,
FormsAuthentication.SetAuthCookie(userLogin, true);
When you do this, it creates a cookie for the user that is used for subsequent requests to the site it was created. In your case, the 'Old' site. So, you either need to create a new auth cookie, or share the auth cookies, which has a few nuances and can be troublesome.
I have a primary web app with authentication on example.com, and I have a secondary app with authentication on subdomain.example.com
I want the 2nd app to be integrated with the first one. So once a user registers and logs in, s/he doesn't have to register/log in again.
It is possible to send a post request, but this won't generate the cookies in user's browser...
How can I do that?
Thanks
You're able to set a cookie so that it works on all subdomains (www, subdomain, etc.). See Basics of Cookies in ASP.NET:
By default, cookies are associated with a specific domain. For example, if your site is www.contoso.com, the cookies you write are sent to the server when users request any page from that site. (Except for cookies with a specific path value, as I explained in the section immediately preceding.)
You can also use the Domain property to create a cookie that can be shared among multiple subdomains. For example, set the domain as follows:
Response.Cookies("domain").Value = DateTime.Now.ToString
Response.Cookies("domain").Expires = DateTime.Now.AddDays(1)
Response.Cookies("domain").Domain = "contoso.com"
The cookie will then be available to the primary domain as well as to sales.contoso.com and support.contoso.com.