I am using Windows Authentication in my MVC application with the WindowsTokenRoleProvider. I created a controller action that looks like:
[Authorize(Roles=#"Fake\Role")]
public ActionResult Admin()
{
return View();
}
When I try and hit this page I see a blank page. Is there a way for me to display a custom view that says "You are not authorized to view this page" isntead of just showing a blank page. If I was using forms authentication then it would redirect me to the login page, but that doesn't really make sense for Windows Authentication since you never really log in specifically.
You most likely are not getting a blank page (I'm not absolutely certain). You are most likely getting a http response that has no content, but has a 403 not authorized status code.
Assuming this is accurate, all you need to do is setup in ASP.NET custom errors (and IIS custom errors) is a redirect rule for 403 codes to the appropriate page.
Related
All I want to do is when a user fails to login correctly, my controller picks this us and sends the user back to the login view in the controller with a message that their log in has failed and they should try again. However, I have some scripts that also use this system, and it would be very helpful to them if this returned a 401.Unfortunately setting a Response.StatusCode=401; at the end just before I return the ActionResult doesn't work.
I'm not using any form of windows authentication, I need authenticate against an Active Directory server from mono. I'm developing on windows, but deploying on Linux/mono.
tl;dr Return page with a user defined status code.
We developing web application using MVC4 and Jquery Mobile. Recently we found one major issue which is "User using another account in same browser" so its overiding the existing account current browser. So we decided not to allow user to use two different account in one browser. We searched lot but unable to find perfect solution. So we tryed below code before login page load.
[AllowAnonymous]
public ActionResult Index()
{
if (!Request.IsAuthenticated)
{
return View("mLogin");
}
else
{
return View("UserAlready");
}
}
In login controller we written this code. The login page will be shown only when user is not registered. Once he Authenticated we restrict him from loading login page again.
My question.
Is this correct method ? Is it have any drawback? Or any other better approach is there?
Use a cookie with session id in it. In Authorize Action Filter check cookie for the session value with user session value if two match well and good otherwise you can take the necessary action
I'm working in a WEB project based on ASP.NET and C#. It's not a new project, I'm just fixing some bugs and making some updates.
The website works like, if you're not logged in and write a url depending on the website, it redirects you to the login page. Then, if you login successfully, it redirects you to the opening page.
For instance, let's say "opening.aspx" is the opening page and "vendors.aspx" is another page in the website. If you write "..../projectname/vendors.aspx" to the browser, you're redirected to "..../projectname/login.aspx", then after your login you're redirected to "..../projectname/opening.aspx"
Now, my aim is to redirect the user to the url he wrote, in this example "..../projectname/vendors.aspx" after the successful login. I wrote the code to take the previous page and after the login redirect the user to that page. However, I cannot detect the page which the user tried to enter at the first time. I'm not sure if the project sends the user to the login page with some codes written by the previous programmers or if this is an automatic stuff of asp.net about the default page. While debugging, I always see the requested page as the login page even though I write some other page url to the browser.
What I'm looking for is the place where the requested page is changed into login page instead of the url I wrote. Is this an automatic stuff or should I look for it in the code? If I should look for it in the code, where to look?
Note: The project is based on 3-Tier architecture, with WEB, BUS, DAL and COM layers and WEB pages use user controls in every page instead of login and default.
Typically when asp.net redirects it puts the requested page in the url in the ReturnUrl querystring parameter. You should be able to do something like...
if (Request.QueryString["ReturnUrl"] != null)
Response.Redirect(Request.QueryString["ReturnUrl"]);
If you need to do something special, you could store the original page that is in ReturnUrl in something like session or in the database and then redirect after your opening page or what not.
i think u should use cookies and seesion when user logged in user detail saved in cookies
and next time when user enter the url u can check it on masterpage of that pages that cookies are available or not if details available then shoe current url page otherwise redirect on login page
I am creating a web application that is hosted under a web site with forms authentication enabled. I have a role in my authentication database "Admins". Here is my controller code:
[RequireHttps]
[Authorize(Roles = "Admins")]
public ActionResult Index()
{
return this.View();
}
When I go to the Index page, if I'm not authenticated, it redirects me to the login page where I enter my credentials. The login page then redirects back to Index page of the new app, but the controller doesn't recognize that the user is authenticated.
I have taken the Authorize attribute off and looked at the request as it went out in the Chrome developer console and confirmed that the cookie is indeed being sent. But if I leave the Authorize attribute as is, and go to the Index page, the cookie collection on the request in my controller is empty. The headers collection contains a header entitled "Cookie", and the value of the header contains the .ASPXAUTH cookie.
The login page calls logs in with this code:
FormsAuthentication.SetAuthCookie(userName, remember, "/");
This behavior is reproducible in all major browsers.
What can I do to cause the Cookies collection of the request to be populated?
What do I need to do to make the application realize that the user really is authenticated?
Edit:
I still don't have it working, but I'm pretty sure it's something to do with the ASPXAUTH cookie being filtered.
I'm sure there are multiple causes of this problem. In my case, the problem was that the version of MVC I was using to write the cookie was different from the version that was decrypting it. I changed my sites to all be running MVC 4, and the cookie that was created by one site was consumable by the other site.
Is the .ASPXAUTH cookie generated a secure cookie, i.e. SSL? If so and your Index.aspx is only over HTTP not HTTPS, you will not see the cookie in the collection.
I have a custom action filter, that inside the OnActionExecuting, depending on certain criteria, logs out a user and redirects them to the home page of the site. The (stripped back) code for the redirect part is below
filterContext.Controller.TempData.Add("key", "Message");
filterContext.Result = new RedirectResult("/");
As above, i am also setting a tempData message. Because the user has been logged out, when they hit the home page, the [Authorize] attribute will redirect them to the login GET page. On the login view, i am displaying any messages from within tempData. However in this situation the tempData is empty.
This is very similar behavior to how my login POST works (if invalid, it redirects to home, which redirects to login and displays the tempData message that was set in the Login post). This code can be seen below
TempData.Add("key", errorMessage);
return Redirect("/"));
The reason i am doing it this way, rather than redirecting specifically to the login page is because this code is distributed across many sites, so we dont know what the login GET url is.
Does anyone have any information as why this is working for the Login POST but not for the ActionFilter Redirect?
Edit:
If i remove the logout call within the custom action filter, the tempData is still set within the Home action - however this doesnt explain why it works for the Login POST but not the action filter?
So it turns out that when i was logging out the user from the system, i was also abandoning the session (calling HttpContextBase.Session.Abandon()) and also resetting the cookie session id. These were affecting the TempData behavior. By removing these calls, the tempData is now correctly set and displayed.
setting the result to new RedirectResult("/") will cause the current server-processing to stop ,and send the client a responce, that tells the client to request a new URL - the one you had said in the RedirectResult. The second request is then different, and does not contain the values from the previous processing.
Try using Redirect("/"); or Server.Transfer("/"); to service the new route in the same client request.