Is it OK to call FormsAuthentication.RedirectFromLoginPage many times?
On login page we test if user is already logged in, and if it is we just redirect him to default page with FormsAuthentication.RedirectFromLoginPage...
Question is if user sets a script that loads login page 10'000 times, would calling the FormsAuthentication.RedirectFromLoginPage that many times make problems?
Thanks
On login page we test if user is
already logged in, and if it is we
just redirect him to default page with
FormsAuthentication.RedirectFromLoginPage...
The times when user goes to login page when already logged-in is
(i) either they go to that page manaually(i.e. they enter the url to your login page)
(ii) or is sent their by some manual redirect in your code or
(iii)if he/she is unauthorized to view some resource and redirect by asp.net authorization module.
Depending how user reaches the login page you might want to take appropriate action. In any above cases I would not use FormsAuthentication.RedirectFromLoginPage. The only time I would use it on login page is when user clicks login button and credentials are valid.
FormsAuthentication.RedirectFromLoginPage will create a new authentication ticket everytime it is called. I would just do hard redirect for the scenarion you have described:
if(Request.IsAuthenticated){
Response.Redirect(FormsAuthentication.DefaultUrl);
}
You should consider the 3 points I mentioned above before using the code.
Related
I would like to use page caching for our asp.net mvc site's landing page. This page is accessible to anonymous users only. If the user is logged in however, I would like this page to redirect to the user home page which is authenticated.
The problem is that if I cache the landing page, a logged in user can still access this page because it is cached on their browser.
Obviously a meta refresh header if the user is authenticated will also not work because the page will cache without the header in the first place.
Is there any way to cache the landing page but also redirect if the user is logged in, without using query params, or is conditional GET the only way to do this?
You could use the OutputCacheAttribute, with the VaryByCustom parameter.
If you set it to something like "IsAuthenticated" and then define the GetVaryByCustomString method in your Global.asax file, and return a string of "True" or "False" depending on if the user is authenticated or not perhaps.
In fact, the following Blog Post answers your exact question: Read This
I have asp.net application that use forms authentication to control access. Let's imagine we have file page.aspx with form in it. When I press search ( submit button in the form) then POST data is sent to that script and I get search results. However if user logged out, then pressed back button in browser and then pressed search, user is redirected to login page. After login,I get that page, but no POST data is sent to that page. Is there any easy way to fix that!
POST data cannot be sent when redirecting with HTTP redirect response.
So you have to change the flow of the application do detect that the user is logged out ealier:
Check login status with ajax request before submitting form
Store submited data in cookie to recreate the POST after logging in
Store submitted data in session before redirecting to login page
The forms authentication cookie is not the session cookie so if you still have your user session you might be able to store the search parameters in your user session and reload them after login.
I am trying to manually implement a login system in ASP.NET 3.5. Basically, on load, I would like the site to check and see if user object is active, if not, than I want the login page to appear.
After user has logged in successfully, I would like the user to be able to access the same page he has requested originally.
for example:
user request to: MyPage.aspx - not logged in
login page appears instead of MyPage.aspx
user logs in successfully
MyPage.aspx appears instead of Default.aspx for example
Peering at the System.Net namespace, I see that there is an "HttpWebRequest Class" which has a "HttpWebRequest.AllowAutoRedirect Property" but am unsure how that would get me back from the login page.
NOTE: I know there are automatic authentication systems setup in ASP.NET, but I would like to have manual control over the database.
-- Tomek
What you could do, if you don't want to actually use the built in Forms Authentcation is:
Check if the user is authenticated on each page you want to hide from anonymous users. If they are not authenticated, redirect them to your login page with the URL in the query string.
if(!HttpContext.Current.User.Identity.IsAuthenticated) {
Response.Redirect(~/login.aspx?redirect=this_page.aspx");
}
Then on your login page, after a user logs in. Check the query string to see if there is a redirect parameter.
if(!String.IsNullorEmpty(Request.QueryString["redirect"]) {
string url = ResolveClientURL(redirect);
Response.Redirect(url);
}
Of course this is all built into .NET using Authentication, where you can deny anonymous access to certain directories, and when you do that, .NET will redirect to your login page (which is set in the web.config) and will include a "ReturnURL=blahblah" on your login page.
Just an FYI.
Just save the originally requested url in Session or a hidden field on the login page
After successful login, use Server.Transfer or Response.Redirect to jump to that page.
It looks like another method is described here. It seems that you can use the following object to return from the login page:
FormsAuthentication.RedirectFromLoginPage
Yet, according to the article, the better method is to use what JackM described, but with an overload:
Response.Redirect("~/default.aspx", false);
In doing so, you prevent the Session from ending when the page is redirected.
I have a site (SiteA) using ASP.NET membership. One thing that it must do is allow the end user at a separate site (SiteB) to launch a new browser window to a page at SiteA with POST data attached to prefill the page.
If the user is logged into SiteA, then the launch from SiteB works and the page is prefilled. However, if the user is not logged in, SiteA's authentication redirects to the login page first. After logging in the user is redirected to the final page, but the POST data is lost and the form is not prefilled.
How can I persist the POST data to the final page?
Sounds like a job for the Cookie Monster. Either set a cookie or a session state var.
cookies
where i learned cookies
session state variables
I am maintaining a session for user login.
Consider a scenario that, User working on page20 with his account credential.
He is idle for the session variable time out. Then he start working on page20 and click link of page21.Here session is expired so he'll redirect to Login page.
After successful logged in, User should redirect to the page21.
So how do I achieve it?
The first method that comes to mind is to send the information through a get/post-variable. When you perform the session-check at page21 (I assume) and redirect the user to the login page, you can append the pagename to the address, i.e. redirect to something like www.xyz.com/login.htm?page21 (or if you don't want the pagename to be visible, use post instead). Then simply use that information when the user logs in again to redirect him/her to page21.
Hope that helps.
if you are using forms authentication, there is an inbuilt mechanism to do that, here it is. It will automatically redirect the user to the URL Referrer page
If (FrameworkManager.Authenticate(username, pwd)) Then
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(username, rememberme)
end if
Really it depends on how you're using your session. If you're keeping all of the information the user enters on screens 1-20 in session, you're going to lose it all once their session expires, so you're out of luck anyway.
If you're storing everything from each page in a database, or some other mechanism, then it should be easy to tell what the last piece of information the user entered. Alternatively, you could also store the url or name of the last page the user submitted in the database.
When they log in, determine which page they should be on, then just redirect them.
If you are doing a Server.Transfer to the login page than Request.Urlreferrer would be URL of the Page21.
Where would you put this code?
If (FrameworkManager.Authenticate(username, pwd)) Then
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(username, rememberme)
end if
If user wants to login again through another browser then in this situation you must add status column in your database and check if the status is true
then you have to redirect this user on last visited page.So save the visited page through cookies and get back page name and redirect on the page.