FormsAuthentication and DangerousUrl Issue

Damir Dobric Posts

Next talks:

 

    

Follow me on Twitter: #ddobric



 

 

Archives

It is often a case that complex ASP.NET applications make usage of request query strings.
For example it can happen that same page is opened with the request query like this one:

http://localhost:7000/YourApp/Login.aspx?ReturnUrl=%2fYourApp%2fDefault.aspx%3fControledStart%3dtrue%26NewWindow%3dPleaseNotOpenInNewWindow%26OpenFromSakibovePlatice%3d%7e%2fProcessesID%2cakrcici%7C101002%7C101003

If FormsAuthentication is used, the user will be redirected to the login page after the login session expires. That is the case when the user open such page (with URL shown above) and remains inactive for a while. On next user's action, the application will redirect the user to login page and fail with following exception:

"The return URL specified for request redirection is invalid."

This exception is thrown when following statement is executed:

FormsAuthentication.RedirectFromLoginPage(username, true);

Solution

Internally this exception is thrown in the method called GetReturnUrl(bool useDefaultIfAbsent) (invoked from RedirectFromLoginPage), when the redirection URL seems to be dangerous?!

Hmm, what this could mean?

Somewhere deep in the ASP.NET there is a method which decides which request is the good one and which is the evil one.
This is the original code, which I'm not going to comment (self explaining).
image

Now, because we know who is evil or who it could be, there is a very simple workaround shown in the next example:

image

Before we enforce redirection, let's check the evil state by calling IsDangerousUrl. Note that this method is an internal one. To call it, just implement your own clone. If  the request (QueryString["ReturnUrl"]) is the evil one, just do redirect to default location as shown in else clause.


Hope this helps...


Posted Aug 29 2008, 10:21 PM by Damir Dobric
Filed under:

Comments

Recent Links Tagged With "communityserver" - JabberTags wrote Recent Links Tagged With "communityserver" - JabberTags
on 05-14-2009 10:18

Pingback from  Recent Links Tagged With "communityserver" - JabberTags

developers.de is a .Net Community Blog powered by daenet GmbH.