Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • tarekahf 215 posts 153 karma points
    Mar 21, 2010 @ 07:37

    Forms Authentication, Integrated Windows Authentication, and ReturnUrl.

    I created a User Control to deal with Integrated Windows Authentication for Members. I created a Login.aspx Document using Umbraco back-office with the User Control embedded (via Macro) to implement this feature.

    So, to get the Currently logged-in Windows User ID (strUserID) I am using this method (inside Login.aspx/User Control/Page-Load):

    Note: This is a function in MyLib.GetWindowsLoginWeb() 

    Dim strUserID As String
    With System.Web.HttpContext
      .CurrentstrUserID = .Request.ServerVariables("LOGON_USER")
      If strUserID = "" Then 
        .Response.StatusCode = 401
        .Response.StatusDescription = "Unauthorized"
        Dim idx As Integer
        idx = strUserID.IndexOf("\")
        If idx >= 0 Then
          strUserID = strUserID.Substring(idx + 1)
        End if
    End if
    Return strUserID

    For the first time, if the IIS Request to some Umbraco Document (page), which is getting the Windows LOGON_USER, is not authenticated (Integrated Windows Authentication), the request will be transfered to "Login.aspx" with a correct ReturnUrl QueryString value, only and only if the page is not Protected using Umbraco back-office.


    But, for a Protected Page, and if the Request is not Authenticated as per Umbraco Members Membership Provider, it will be transfered to Login.aspx page, but there is no ReturnUrl Parameter ???? Instead, the URL " request.rawUrl() " will be the actual ReturnUrl.

    It seems to me that Umbraco 4.0.3 has some issue with regards FormsAuthentication and ReturnUrl. Right ?

    So, in order to deal with the above issue, I had to do exactly the following in Login.aspx Page, when the user click the "Login" button: 

        Protected Sub Button2_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button2.Click
            Dim CurrUser As String
            Dim myRetURL As String
            CurrUser = MyLib.GetWindowsLoginIDWeb()
            'FormsAuthentication.RedirectFromLoginPage(CurrUser, False)
            FormsAuthentication.SetAuthCookie(CurrUser, True)
            myRetURL = Request.QueryString("ReturnUrl")
            If String.IsNullOrEmpty(myRetURL) Then
                If Page.Request.RawUrl().ToLower.IndexOf("Login.aspx".ToLower) < 0 Then
                    'myRetURL = Page.ResolveClientUrl(Request.Url.AbsoluteUri)
                    myRetURL = Request.RawUrl
                    myRetURL = FormsAuthentication.DefaultUrl()
                End If
            End If
            Response.Redirect(Page.ResolveClientUrl(HttpUtility.UrlEncode(myRetURL)), True)
        End Sub

    The above method works fine in both cases:

    1. If the request is not yet Authenticated from IIS under Intergrated Windows Authentication, and

    2. If the request is not authenticate for an Umbraco Protected Page.

    I just need to know if the above approach is correct.

    Am I missing something ?

    Is there a better method ?


  • tarekahf 215 posts 153 karma points
    Apr 22, 2010 @ 22:39

    Appreciate your feedback on the above.


  • Connie DeCinko 931 posts 1160 karma points
    Nov 13, 2013 @ 20:08
    Connie DeCinko

    How are you dealing with the Umbraco back office?  Do you only secure the site and leave the /Umbraco folder as anonymous?


Please Sign in or register to post replies

Write your reply to: