All geek questions in one place

How to redirect the user back to where he was after entering asp.net mvc 3

I am learning ASP.NET MVC3, and now I am learning user handling. My first problem would be (I know there is a lot about this subject in this thread, I just can't find any good with MVC3) that I want the login page to redirect me to where I came from, or where I was redirected from Perhaps in php I could add this url to querystring. But I need a way to do this somehow automatically, and this is such a general design pattern that I was wondering if there is a β€œbuilt-in” way for this.

What would be the cleanest or preferred way to do this?

Also, when I am redirected to the login page, which will be the best way to check and save the URL from which I am redirected? I would check the referrer in the request object and spit it out in the URL as "? Redirect = protected.html", but I'm not even sure how to do it right.

Any advice on this would be appreciated.

+4
source share
3 answers

MVC works just like ASP.NET.

If you use Form Authentication, many of these questions will be answered.

In your web configuration, find the line that says authentication="Windows" and then change it to Forms

 <authentication mode="Forms"> <forms loginUrl="~/Account/LogOn" /> </authentication>

MVC 3 will actually provide you with an Account / LogOn route as part of the MVC 3 template project (check your models and see if you have one call to AccountModel ).

Then you simply add Authorization to block all users from your site:

 <authorization> <deny users="?"/> </authorization>

by default, this will send any person who comes to your site to your login.

So, after you have verified that credential authorization is correct, you install AuthCookie just like ASP.NET:

 FormsAuthentication.SetAuthCookie(userName, false);

Form it, you can redirect to wherever you want.

redirect back to where you came from:

 FormsAuthentication.RedirectFromLoginPage(userName, false);

Not forgetting another useful instruction:

 FormsAuthentication.SignOut();

Without authentication, the site will not allow you to access anywhere until you log in, so CSS will stop working.

The places I added to make sure this does not happen are as follows:

 <location path="Content"> <system.web> <authorization> <allow users="?"/> </authorization> </system.web> </location> <location path="Scripts"> <system.web> <authorization> <allow users="?"/> </authorization> </system.web> </location>
+6
source

In asp.net is this? returnUrl = ...

(1) Make sure you have something like

 <authentication mode="Forms"> <forms loginUrl="~/Account/LogOn" timeout="2880" /> </authentication>

in the root folder web.config.

(2) In your controller that you want to protect, add the [Authorize] attribute to it.

Create a new project and select the Internet application template, rather than Empty , and you will get a sample of a simple login process, as well as change the password.

Note: read also: http://www.asp.net/mvc/tutorials/preventing-open-redirection-attacks

The sample shows after login, it ensures that returnUrl is a local url using the Url.IsLocalUrl () helper to protect against an open redirect attack.

Update: The best way is to implement your own custom registration process , after you really know the standard process, for example, instead of using the URL to track where the user came from, you can set a new cookie to store returnUrl with an httponly cookie and delete it before redirecting to the previous page.

Another common practice is to use roles . You can specify a directory / controller for a specific user group named Role by adding the allowed role as an attribute above the controller:

 [Authorize(Roles = "Admin")]

See this visual studio administration tool for creating user samples and roles using the built-in web interface.

You can also use the sitemap to organize pages and menu links using the show / hide menu based on your current user role. Use mvcsitemap to add a security trim feature in an ASP.NET MVC Sitemap.

+3
source

In some cases, basic authentication is used instead of the standard form (a common example for enterprise applications).

In this case, I would recommend manually controlling the returnUrl parameter in the request. The login page reads this URL and redirects back after successful authentication.

0
source

Source: https://habr.com/ru/post/1343893/

More articles:


All Articles