I have asp.net application that use forms authentication to control access. Let's imagine we have file page.aspx with form in it. When I press search ( submit button in the form) then POST data is sent to that script and I get search results. However if user logged out, then pressed back button in browser and then pressed search, user is redirected to login page. After login,I get that page, but no POST data is sent to that page. Is there any easy way to fix that!
POST data cannot be sent when redirecting with HTTP redirect response.
So you have to change the flow of the application do detect that the user is logged out ealier:
Check login status with ajax request before submitting form
Store submited data in cookie to recreate the POST after logging in
Store submitted data in session before redirecting to login page
The forms authentication cookie is not the session cookie so if you still have your user session you might be able to store the search parameters in your user session and reload them after login.
Related
I have googled around but unfortunately I didnt find what I am looking for. For a small application I am working on, I am using a Webview. In this webview I would like to load a page where I would like to do the login - which is done using a http post request of type
--> "Content-Type", "multipart/form-data;boundary="+boundary; <--
Using a HttpURLConnection I can use a DataOutputStream passing the login data to the server. But how would I do such a login with on a WebView's WebEngine??
Best Regards
Load the page in the WebEngine and have the user enter their login credentials and submit them just like they would in a standard browser. The WebEngine will do the multi-part form data post the server to appropriately log the user in.
If you need to automate this process on behalf of the user (i.e. because you have authentication credentials stored elsewhere for a kind of single sign on app), then, once the engine has fully loaded the login page, you can make webEngine.executeScript calls to populate the form login fields on the page and trigger the submission of the login information to the server (probably by triggering a click event on the login form submission button).
You can also use this routine to execute jQuery on the document to do the form filling and trigger the submission if you prefer to work with that API.
Is there any solution for redirect user to login page, when cookie expires?
I create formsauthenticationticket and cookie. Expiration is set on 10minutes.
When expiration is over, and user doesn't make any request 20-minutes, and after that,
clicks he on some link, he would be redirected to login page and log in again.
I have HttpModule in assembly, which is referenced in web project.
In this module I have PreRequestHandlerExecute() event,
where I control on every request, if the user is authenticated and refresh timeout for cookie.
But If the user is not authenticated, he would be redirect to login page.
Is there any solution for this? I know about AuthorizeAttribute, but is there any other way to do this?
THANKS
Once the user's cookie has expired it won't be sent in the request, so you have no way of knowing who is a new user and who is a user who's cookie has expired because neither user will send a cookie with their page request.
One workaround is to set the cookie to 10 mins, but use the Meta Refresh tag to redirect to the login page after 9 mins 50 seconds. Note: the login page would need to log the user out too, otherwise it would refresh the session again.
Is it OK to call FormsAuthentication.RedirectFromLoginPage many times?
On login page we test if user is already logged in, and if it is we just redirect him to default page with FormsAuthentication.RedirectFromLoginPage...
Question is if user sets a script that loads login page 10'000 times, would calling the FormsAuthentication.RedirectFromLoginPage that many times make problems?
Thanks
On login page we test if user is
already logged in, and if it is we
just redirect him to default page with
FormsAuthentication.RedirectFromLoginPage...
The times when user goes to login page when already logged-in is
(i) either they go to that page manaually(i.e. they enter the url to your login page)
(ii) or is sent their by some manual redirect in your code or
(iii)if he/she is unauthorized to view some resource and redirect by asp.net authorization module.
Depending how user reaches the login page you might want to take appropriate action. In any above cases I would not use FormsAuthentication.RedirectFromLoginPage. The only time I would use it on login page is when user clicks login button and credentials are valid.
FormsAuthentication.RedirectFromLoginPage will create a new authentication ticket everytime it is called. I would just do hard redirect for the scenarion you have described:
if(Request.IsAuthenticated){
Response.Redirect(FormsAuthentication.DefaultUrl);
}
You should consider the 3 points I mentioned above before using the code.
I have a site (SiteA) using ASP.NET membership. One thing that it must do is allow the end user at a separate site (SiteB) to launch a new browser window to a page at SiteA with POST data attached to prefill the page.
If the user is logged into SiteA, then the launch from SiteB works and the page is prefilled. However, if the user is not logged in, SiteA's authentication redirects to the login page first. After logging in the user is redirected to the final page, but the POST data is lost and the form is not prefilled.
How can I persist the POST data to the final page?
Sounds like a job for the Cookie Monster. Either set a cookie or a session state var.
cookies
where i learned cookies
session state variables
I have a ASP.Net application in my login page I call
FormsAuthentication.SignOut
Session.Abandon()
Session.Clear()
however the Appscan is taking the ASPXAUTH cookie value then after logout is able to re-inject the cookie value to gain access to protected pages.
Microsoft has acknowledged a problem but only offers advice not a fix - http://support.microsoft.com/kb/900111
Can someone provide examples how to fix this issue
One option is to have a UserSession table and insert a record into this table when the user logs in. When you logout either delete the entry or mark it invalid. On the secure pages, verify that a UserSession exists for the logged in user and redirect to a login page if it does not.
set a session value on login, clear it on log out and check it on each access to a secure page. The session value is not sent to the client and as such the client/attacker can not manipulate it.
walkthrough without session value cleared on exit :
user visits login page - generates viewstate
man-in-the-middle-hacker collects viewstate
user submits login form - generates auth cookies
man-in-the-middle-hacker collects auth cookies
user logs out - server clears users cookies
man-in-the-middle-hacker continues to use previous credentials completely unhindered
game over
walkthrough wit session value cleared on exit :
user visits login page - generates viewstate
man-in-the-middle-hacker collects viewstate
user submits login form - generates auth cookies
man-in-the-middle-hacker collects auth cookies
user logs out - server clears users cookies and sets its internal session flag value to null
man-in-the-middle-hacker continues to use previous credentials but because the session he is working with now has the value null server redirects to login page.
win!