Forms Authentication, Integrated Windows Authentication, and ReturnUrl.
I created a User Control to deal with Integrated Windows Authentication for Members. I created a Login.aspx Document using Umbraco back-office with the User Control embedded (via Macro) to implement this feature.
So, to get the Currently logged-in Windows User ID (strUserID) I am using this method (inside Login.aspx/User Control/Page-Load):
Note: This is a function in MyLib.GetWindowsLoginWeb()
Dim strUserID As String With System.Web.HttpContext .CurrentstrUserID = .Request.ServerVariables("LOGON_USER") If strUserID = "" Then .Response.StatusCode = 401 .Response.StatusDescription = "Unauthorized" .Response.End() Else Dim idx As Integer idx = strUserID.IndexOf("\") If idx >= 0 Then strUserID = strUserID.Substring(idx + 1) End if End if Return strUserID
For the first time, if the IIS Request to some Umbraco Document (page), which is getting the Windows LOGON_USER, is not authenticated (Integrated Windows Authentication), the request will be transfered to "Login.aspx" with a correct ReturnUrl QueryString value, only and only if the page is not Protected using Umbraco back-office.
But, for a Protected Page, and if the Request is not Authenticated as per Umbraco Members Membership Provider, it will be transfered to Login.aspx page, but there is no ReturnUrl Parameter ???? Instead, the URL " request.rawUrl() " will be the actual ReturnUrl.
It seems to me that Umbraco 4.0.3 has some issue with regards FormsAuthentication and ReturnUrl. Right ?
So, in order to deal with the above issue, I had to do exactly the following in Login.aspx Page, when the user click the "Login" button:
Protected Sub Button2_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button2.Click Dim CurrUser As String Dim myRetURL As String CurrUser = MyLib.GetWindowsLoginIDWeb() 'FormsAuthentication.RedirectFromLoginPage(CurrUser, False) FormsAuthentication.SetAuthCookie(CurrUser, True) myRetURL = Request.QueryString("ReturnUrl") If String.IsNullOrEmpty(myRetURL) Then If Page.Request.RawUrl().ToLower.IndexOf("Login.aspx".ToLower) < 0 Then 'myRetURL = Page.ResolveClientUrl(Request.Url.AbsoluteUri) myRetURL = Request.RawUrl Else myRetURL = FormsAuthentication.DefaultUrl() End If End If Response.Redirect(Page.ResolveClientUrl(HttpUtility.UrlEncode(myRetURL)), True) End Sub
The above method works fine in both cases:
1. If the request is not yet Authenticated from IIS under Intergrated Windows Authentication, and
2. If the request is not authenticate for an Umbraco Protected Page.
I just need to know if the above approach is correct.
Forms Authentication, Integrated Windows Authentication, and ReturnUrl.
I created a User Control to deal with Integrated Windows Authentication for Members. I created a Login.aspx Document using Umbraco back-office with the User Control embedded (via Macro) to implement this feature.
So, to get the Currently logged-in Windows User ID (strUserID) I am using this method (inside Login.aspx/User Control/Page-Load):
Note: This is a function in MyLib.GetWindowsLoginWeb()
For the first time, if the IIS Request to some Umbraco Document (page), which is getting the Windows LOGON_USER, is not authenticated (Integrated Windows Authentication), the request will be transfered to "Login.aspx" with a correct ReturnUrl QueryString value, only and only if the page is not Protected using Umbraco back-office.
But, for a Protected Page, and if the Request is not Authenticated as per Umbraco Members Membership Provider, it will be transfered to Login.aspx page, but there is no ReturnUrl Parameter ???? Instead, the URL " request.rawUrl() " will be the actual ReturnUrl.
It seems to me that Umbraco 4.0.3 has some issue with regards FormsAuthentication and ReturnUrl. Right ?
So, in order to deal with the above issue, I had to do exactly the following in Login.aspx Page, when the user click the "Login" button:
The above method works fine in both cases:
1. If the request is not yet Authenticated from IIS under Intergrated Windows Authentication, and
2. If the request is not authenticate for an Umbraco Protected Page.
I just need to know if the above approach is correct.
Am I missing something ?
Is there a better method ?
Tarek.
Appreciate your feedback on the above.
Tarek.
How are you dealing with the Umbraco back office? Do you only secure the site and leave the /Umbraco folder as anonymous?
is working on a reply...