I have a simple Symfony2 application that requires the user to be authenticated to see some pages.
When a protected page is visited while anonymous, the user is redirected to the login page. This is all working as expected, but I would like to add a flash message when the user is redirected to the login page for the first time (something like "Login to see this page").
I am not sure what would be the best approach. I think that the redirection is triggered by ExceptionListener::startAuthentication. The second argument of this method is an exception (AuthenticationException $authException), that is probably set to something when the user is trying to access a protected page while being anonymous.
Can I somehow override this behavior and add a flash message or is there a simpler way?
May be you can use "before and after" filters explained in the documentation : http://symfony.com/doc/current/cookbook/event_dispatcher/before_after_filters.html
I think this is a good approach for your case.
Related
I'm using FOSUserBundle.
When a user try to reach a protected URL, it's redirected to the login form. This is OK, but I want to show a flash message informing the user why he has been redirected to the login form. Something like: 'You have reached a protected area. You must login into your account ....'
This message must be displayed only when the user is redirected from a protected area, not when the user goes to the login URL directly.
Any idea ?
I would suggest creating an event listener for the HttpKernel exception event, which happens to be the example given in the Cookbook chapter on creating event listeners.
You can find the list of exceptions here. I'm guessing you'd want the AccessDeniedHttpException.
In my MVC 5 application I have applied some Role filters such as:
[Authorize(Roles = "ManageRoles")]
Now if a user does not have permission to access this role, it redirects me to the login page. This is incorrect in my application as I want to rather display an error message saying that you donot have permission to access.
Where do I change what happens if a user is not authorised to access a filter?
Do I have to implement custom filters? I would like to try and use the redirectTo action if possible so that I can have different error pages in different situations.
Use Custom Authorize Attribure - Ben Scheirman or Ben Cull's answer in this thread.
Also Check Mark's response to similar question, where he used HandleUnauthorizedRequest to redirect unauthorized users.
In the both the above approaches, you can redirect to any Route or Action of your interest and use HttpContent.Items[] or TempData to hold the specific error messages or values to be display on the destination page.
MVC5 has actually started to address this issue. They now include Authentication Filters in addition to Authorization Filters. These are pretty lightly documented, but my gut feeling is that this a first stab at separating authentication from authorization (up until now, ASP.NET has confused the two)
What i'm thinking is that Authentication filters will be used to control whether a user is logged in or not, and Authorization filters will be used to control what you have access to. However, it seems that this isn't yet fully realized.
In your Login view, you can add logic for:
Checking if the request is not authenticated
1.1. Display login form
Checking if the user is authenticated but not in the required role
2.1. Display error message
Since you'll be automatically redirected to the login page by your Web.config settings, you can take advantage of this mechanism.
if (!Request.IsAuthenticated)
{
//render login form
}
else
{
<p>Error: you do not have the necessary credentials to access this resource.</p>
}
Another option would be to create your own AuthorizationAttribute. This question is similar to yours. You might find it useful.
I'm using Forms authentication. I have a small problem after the user logs out. If he hits the back button after he logs out, he's sent to the page he was on when he was logged in.
What is the best way to prevent that? I've looked around but it doesn't seem that there's one definitive approach. Ideally, I'm thinking I'd like to have a function on the master page or even in an httpmodule that checks to see if the user is logged in and if not, redirect him to the login. Is that the best way to do it?
Thanks.
As long as you do Session.Abandon() and FormsAuthentication.SignOut() on your Logout page it doesn't matter whether the user can go back to the previous page he was in, the moment he clicks on anything will be redirected to the Login page.
Example:
Page_Load login/logout page:
if (!IsPostBack)
{
FormsAuthentication.SignOut();
Session.Abandon();
}
You may turn of the cache ability of restricted pages by adding following statement in page_load event.
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Since the Back button in the browser is not controllable by ASP.NET (at least not in a way to disable it), I suggest that you do it like you suggested:
On every page, check to see whether the user is logged in, if not, redirect him to the login page, optionally with a goto parameter to redirect him back to the page he wants to navigate to after successfully being logged in.
I do it this way, too for most of our applications.
HttpContext.User has the IsAuthenticated property for you to check in every page. If you really want to use your custom session variable make sure you remove it or do Session.Abandon at logout and check for it in All pages anyway.
I am trying to manually implement a login system in ASP.NET 3.5. Basically, on load, I would like the site to check and see if user object is active, if not, than I want the login page to appear.
After user has logged in successfully, I would like the user to be able to access the same page he has requested originally.
for example:
user request to: MyPage.aspx - not logged in
login page appears instead of MyPage.aspx
user logs in successfully
MyPage.aspx appears instead of Default.aspx for example
Peering at the System.Net namespace, I see that there is an "HttpWebRequest Class" which has a "HttpWebRequest.AllowAutoRedirect Property" but am unsure how that would get me back from the login page.
NOTE: I know there are automatic authentication systems setup in ASP.NET, but I would like to have manual control over the database.
-- Tomek
What you could do, if you don't want to actually use the built in Forms Authentcation is:
Check if the user is authenticated on each page you want to hide from anonymous users. If they are not authenticated, redirect them to your login page with the URL in the query string.
if(!HttpContext.Current.User.Identity.IsAuthenticated) {
Response.Redirect(~/login.aspx?redirect=this_page.aspx");
}
Then on your login page, after a user logs in. Check the query string to see if there is a redirect parameter.
if(!String.IsNullorEmpty(Request.QueryString["redirect"]) {
string url = ResolveClientURL(redirect);
Response.Redirect(url);
}
Of course this is all built into .NET using Authentication, where you can deny anonymous access to certain directories, and when you do that, .NET will redirect to your login page (which is set in the web.config) and will include a "ReturnURL=blahblah" on your login page.
Just an FYI.
Just save the originally requested url in Session or a hidden field on the login page
After successful login, use Server.Transfer or Response.Redirect to jump to that page.
It looks like another method is described here. It seems that you can use the following object to return from the login page:
FormsAuthentication.RedirectFromLoginPage
Yet, according to the article, the better method is to use what JackM described, but with an overload:
Response.Redirect("~/default.aspx", false);
In doing so, you prevent the Session from ending when the page is redirected.
I'm trying to figure out where the login functionality is that interacts with the UserLogin function of the AspNetMembershipProvider section, there's no references to where the login functionality exists. I know this is the function to intact with the data, I just need to find where in the source code the login is so I can customize the login (eg. redirect on login based on user roles, personalized message, etc)
Any ideas?
Nevermind, found it, just a bit blind. Login.aspx.cs had it, it was just in the private members section and I was looking in the event handlers section.