ASP. NET FormsAuthentication

 

In ASP. NET applications, FormsAuthentication is almost the standard, but FormsAuthentication is designed without considering that the login program is not on the same site as the current program. In this scenario, the most basic requirement is to log on to another site and return the same result. However, FormsAuthentication only supports relative paths when transferring ReturnUrl, does not support absolute addresses, and does not provide corresponding extensions.

For example, the following FormsAuthentication settings are made in the web. config of admin.cnblogs.com:

<Authentication mode = "Forms">

<Forms loginUrl = "http://passport.cnblogs.com/login.aspx" timeout = "2880" enableCrossAppRedirects = "true"/>

</Authentication>

<Authorization>

<Deny users = "? "/>

</Authorization>

Access admin. cnblogs. cc/Home/Index will be redirected to passport.cnblogs.com/login.aspx? ReturnUrl = % 2 fHome % 2 fIndex, so you will not be able to return after logon.

So how can we solve this problem?

Three methods are found:

Method 1: Add a logon stepping stone page to the current application. The loginUrl in web. config points to the stepping stone. Obtain the absolute ReturnUrl address in the stepping stone and redirect it to the actual logon page.

For example, in ASP. net mvc, we can use a Controller Action as the stepping stone. The Code is as follows:

Public class LoginController: Controller

{

Public ActionResult Redirect ()

{

Var loginUrl = "http://passport.cnblogs.com/login.aspx ";

Var returnUrl = "? ReturnUrl = http: // "+ Request. Url. Host +

Request. QueryString ["ReturnUrl"];

Return RedirectPermanent (loginUrl + returnUrl );

}

}

Then, point the loginUrl in web. config to the Action.

The disadvantage of this method is to perform two redirection.

Method 2: Set ReturnUrl to an absolute address in the Application_PostAuthenticateRequest event of Global. asax and redirect to the logon page.

The Code is as follows (the Code comes from the http://forums.asp.net/t/1358796.aspx ):

Protected void Application_PostAuthenticateRequest (object sender, EventArgs e)

{

If (! UrlAuthorizationModule. CheckUrlAccessForPrincipal (

Request. AppRelativeCurrentExecutionFilePath,

Context. User, Request. RequestType ))

{

Response. Redirect (String. Format ("{0 }? ReturnUrl = {1 }",

FormsAuthentication. LoginUrl,

Request. Url. AbsoluteUri ));

}

}

Method 3: Modify Response. RedirectLocation in the Application_EndRequest event of Global. asax and replace ReturnUrl with the absolute address.

The Code is as follows (the code is from David Findley's Blog ):

Protected void Application_EndRequest (object sender, EventArgs e)

{

String redirectUrl = this. Response. RedirectLocation;

If (! String. IsNullOrEmpty (redirectUrl ))

{

This. Response. RedirectLocation = Regex. Replace (redirectUrl,

"ReturnUrl = (? 'Url'. *) ", delegate (Match m)

{

String url = HttpUtility. UrlDecode (m. Groups ["url"]. Value );

Uri u = new Uri (this. Request. Url, url );

Return string. Format ("ReturnUrl = {0}", HttpUtility. UrlEncode (u. ToString ()));

}, RegexOptions. Singleline | RegexOptions. IgnoreCase | RegexOptions. ExplicitCapture );

}

}

The disadvantage of this method is to process all redirected URLs, not just logon.

We chose the second method. How did you solve this problem? Is there a better way?

This problem is entirely due to the design problem of FormsAuthentication. At that time, I was unable to believe that Microsoft did not take this into account. Then I read the FormsAuthentication code, which is really speechless...

I wrote this blog today to vent my hate.

The inspiration from this is that bad designs will be scolded by many people for many years, and excellent designs will be well known.

From Ldudu blog