Infinite loop with HTTP 401 status - asp.net

I wrote an ASP.NET page that requires HTTP Basic authorization, which I put in the Page_Load function:
void Page_Load(object sender, EventArgs e)
{
string auth = Request.Headers["Authorization"];
if (string.IsNullOrEmpty(auth))
{
Response.StatusCode = 401;
}
else
{
string[] usernameAndPassword = Encoding.UTF8.GetString(Convert.FromBase64String(auth)).Split(':');
string username = usernameAndPassword[0];
string password = usernameAndPassword[1];
Login(username, password);
}
}
When I try to view the page in a browser (either Firefox or IE), it asks me for the username and password, and then...asks me for the username and password again.
Why does this happen, and how can I fix it?

This should be handled though a httpmodule. Please consider following article.
http://www.codeproject.com/KB/web-security/AspNetCustomAuth.aspx

Related

ASP.NET: User is still not logged in when OnLoggedIn event is raised.

I'm checking whether the last time a user has changed the password. If it's more than 90 days, I'll redirect the user to the Password Change page.
protected void LoginUser_LoggedIn(object sender, EventArgs e)
{
//has their password expired?
var _user = MembershipRepository.GetUser(this.LoginUser.UserName);
if (_user != null
&& _user.LastPasswordChangedDate.Date.AddDays(90) < DateTime.Now.Date)
{
Server.Transfer("~/SiteNav/ChangePassword.aspx");
}
}
The problem I'm having is that when ChangePassword.aspx displays, the user is not logged in. Unless I refresh manually the page, then the LoginStatus control shows the username of the user.
I've tried to refresh the page in the code, but it's still not working.
protected void Page_Load(object sender, System.EventArgs e)
{
var _url = HttpContext.Current.Request.Url.ToString();
if (_url.ToLower().EndsWith("default.aspx"))
{
Page.ClientScript.RegisterStartupScript(this.GetType(),
"RefreshPage", "window.location.reload();", true);
Response.Redirect("~/SiteNav/ChangePassword.aspx");
}
}
It's so confusing. When we get to the LoggedIn event, I though the user was already logged in.
Thanks for helping.
It's probably due to the cookie not being included in the response when you do a redirect, as at that point in time the auth cookie will have been set on your machine, but won't have been in the Request. When the cookie is set it's not automatically updated in the response.
See This Answer for some code that should sort it

Accessing Sessions Variables in code behind

Here is my code:
protected void Page_Load(object sender, EventArgs e)
{
if (!Session["Authenticated"] )
{
Response.Redirect( "index.aspx", false );
}
}
Once they login I set the session to true. Basically, if they don't have an active session I want them re-directed back to the index/login page. How do I accomplish this?
Use this check
if(Session["Authenticated"] == null || !(bool)Session["Authenticated"])
If you are using cookie, you can store a marker in your cookie so you can tell the difference between "fresh browser + new session" and "old browser + expired session".
Below is sample code that will redirect the user to an expired page if the session has expired.
void Session_OnStart(Object sender, EventArgs e)
{
HttpContext context = HttpContext.Current;
HttpCookieCollection cookies = context.Request.Cookies;
if (cookies["starttime"] == null) {
HttpCookie cookie = new HttpCookie("starttime", DateTime.Now.ToString());
cookie.Path = "/";
context.Response.Cookies.Add(cookie);
}
else {
context.Response.Redirect("expired.aspx");
}
}
And if you are trying to implement sessions this might help you http://aspalliance.com/1621_Implementing_a_Session_Timeout_Page_in_ASPNET.2

Asp.NET cookies returning null

I'm trying to save a cookie when a button is clicked like so...
protected void btn_login_Click(object sender, EventArgs e)
{
HttpCookie cookie = new HttpCookie("test");
cookie["work"] = "now";
cookie.Expires = DateTime.Now + new TimeSpan(1, 0, 0, 0);
cookie.Domain = ".cookie.com";
Response.Cookies.Add(cookie);
}
Then on the page_load I am reading the cookie...
protected void Page_Load(object sender, EventArgs e)
{
string a = Response.Cookies["test"]["work"];
}
But it keeps coming back null. I am running this under localhost and I read that cookies won't save under localhost so I edited my host file to say
127.0.0.1 test.cookie.com
When I used Fiddler to see what was getting posted to the header of the page. It looks like this...
test/work = now
test =
So I can see that it is getting set but for some reason when I read it in it returns null.
On the page_load change it from Response.Cookies to Request.Cookies.
The Response object is for sending data back. The Request object has data that is passed to you.
example:
String a = Request.Cookies["test"]["work"];
Note that if the cookie doesn't exist, then this will cause a null reference exception.
Usually you should do something like:
protected void Page_Load(object sender, EventArgs e) {
HttpCookie cookie = Request.Cookies["test"];
String a = String.Empty;
if (cookie != null) {
a = cookie["work"];
}
}
Try this
Response.Cookies["work"].Value = "Value1"
Refer this for more information.
On pageload for reading the cookie try
string value = Request.Cookies["work"].Value

Get session object from sessionID in ASP.Net

Is there anyway to get a session object from a sessionID?
I have a small project using a Flash upload to let a user upload their file to the server, but the problem is that Flash has some error when sending the session and cookie (in Firefox or Chrome, but not IE), so I found a solution to fix this problem: sending the sessionID through Flash to the server, and on the server, decode sessionID back to the session object, but I don't how to do it. I'm using ASP.NET and C#.
Can anyone advise me on what to do?
The link proposed by Moo-Juice is no longer working.
I used the code provided in this page:
http://snipplr.com/view/15180/
It worked like a charm.
If the link would become broken, here is the code:
void Application_BeginRequest(object sender, EventArgs e)
{
try
{
string session_param_name = "ASPSESSID";
string session_cookie_name = "ASP.NET_SESSIONID";
string session_value = Request.Form[session_param_name] ?? Request.QueryString[session_param_name];
if (session_value != null) { UpdateCookie(session_cookie_name, session_value); }
}
catch (Exception) { }
try
{
string auth_param_name = "AUTHID";
string auth_cookie_name = FormsAuthentication.FormsCookieName;
string auth_value = Request.Form[auth_param_name] ?? Request.QueryString[auth_param_name];
if (auth_value != null) { UpdateCookie(auth_cookie_name, auth_value); }
}
catch (Exception) { }
}
void UpdateCookie(string cookie_name, string cookie_value)
{
HttpCookie cookie = HttpContext.Current.Request.Cookies.Get(cookie_name);
if (cookie == null)
{
HttpCookie cookie1 = new HttpCookie(cookie_name, cookie_value);
Response.Cookies.Add(cookie1);
}
else
{
cookie.Value = cookie_value;
HttpContext.Current.Request.Cookies.Set(cookie);
}
}

ASP.NET Forms Authentication with Windows Safari

Does anyone know why ASP.NET Forms Authentication does not work on windows safari, or better yet, how to get it to work? It seems like a very weird issue. When I use a login control (System.Web.UI.WebControls.Login) everything works fine, but if I try to do a custom Forms Authentication login when I call FormsAuthentication.RedirectFromLoginPage safari just sends me back to the login page as if I'm not authenticated whereas every other browser logs me in and sends me on my way.
protected void lnkLogin_Click(object sender, EventArgs e)
{
if (Membership.Provider.ValidateUser(txtUsername.Text, txtPassword.Text))
{
Session.Clear();
HttpContext.Current.Response.Cookies.Clear();
FormsAuthentication.SetAuthCookie(txtUsername.Text, true);
FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, true);
}
}
Try either SetAuthCookie, or RedirectFromLoginPage. The redirect needs to know where to redirect to anyway (ReturnUrl), maybe that is your problem.
if (Request.QueryString["ReturnUrl"] != null)
{
FormsAuthentication.RedirectFromLoginPage("someuserid", false);
}
else
{
FormsAuthentication.SetAuthCookie("someuserid", false);
Response.Redirect("~/SomePage.aspx");
}
This works fine for me in Safari:
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
//check login
User user = UserBAL.GetUser(Login1.UserName, Login1.Password);
//null and filled object check
if (user != null && user.Id > 0 && user.Roles != null && user.Roles.Count > 0)
{
e.Authenticated = true;
FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(1, //version
Login1.UserName, // user name
DateTime.Now, // creation
DateTime.Now.AddMinutes(60),// Expiration
false, // Persistent
string.Join("|", user.Roles.ToArray())); // User ata
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the
// cookie as data.
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
Response.Cookies.Add(authCookie);
//redirect
Response.Redirect(FormsAuthentication.GetRedirectUrl(
Login1.UserName,
false));
}
else
{
Login1.FailureText = "Login failed.";
}
}

Resources