Redirect to requested page after authentication

asp.net-mvc asp.net-mvc-3 authentication forms-authentication
17,721

If you create an ASP.NET MVC 3 or 4 Internet Application project, it'll have a complete example of how to use return url's when authenticating.

When you add the AuthorizeAttribute to a controller to force authentication, it'll redirect the user to your Login method, and automatically append the returnUrl parameter. From there, you need to keep track of it as you show your login form:

public ActionResult Login(string returnUrl)
{
     ViewBag.ReturnUrl = returnUrl;
     return View();
}

and then add it to your login form's route collection:

@*//ReSharper disable RedundantAnonymousTypePropertyName*@
@using (Html.BeginForm(new { ReturnUrl = ViewBag.ReturnUrl })) {
@*//ReSharper restore RedundantAnonymousTypePropertyName*@

}

Once the user submits the login, assuming they authenticate properly, you'll just redirect to returnUrl:

[HttpPost]
public ActionResult Login(LoginModel model, string returnUrl)
{
     return RedirectToLocal(returnUrl);
}

The hardest part is keeping track of the ReturnUrl through the GET/POST sequence.

If you want to see how the AuthorizeAttribute works, this StackOverflow post shows setting returnUrl with the original request.

You also need to make sure you validate returnUrl really is a local url, or you become vulnerable to open redirection attacks. RedirectToLocal() is a helper method from the MVC 4 Internet Application template that does this validation:

private ActionResult RedirectToLocal(string returnUrl)
{
     if (Url.IsLocalUrl(returnUrl))
     {
          return Redirect(returnUrl);
     }
     else
     {
          return RedirectToAction("Index", "Home");
     }
}
Share:
17,721
Admin
Author by

Admin

Updated on June 05, 2022

Comments

  • Admin
    Admin almost 2 years

    I'm working on an mvc .net application and I'm using forms authentication. I want to redirect user to the page he requested after he gets authenticated. Any help would be appreciated.

  • mohsen dorparasti
    mohsen dorparasti over 11 years
    @HediNaily : one point to remeber is not to trust returnUrl and to check it before using it to redirect the user
  • mfanto
    mfanto over 11 years
    @mohsen.d Agreed. The RedirectToLocal() is an MVC 4 helper included with the Internet Application template that validates the URL before redirecting. I'll add it to the answer for those without the helper method.
  • hvaughan3
    hvaughan3 about 7 years
    One important thing for those ReSharper users, ReSharper will tell you that you can remove the ReturnUrl = part of the Html.BeginForm since an explicit name is not needed. In this case it is needed.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Who sets the IsAuthenticated property of the HttpContext.User.Identity
ASP.NET MVC - Authenticate users against Active Directory, but require username and password to be inputted
How to redirect to a dynamic login URL in ASP.NET MVC
HttpContext.Current.User != HttpContext.User?
MVC3: Can one controller require Windows Authentication while a second allows anonymous?
ASP.NET - Redirect to Error Page if Roles Authorization Fails
Thread.CurrentPrincipal claims incorrectly to be anynomous
MVC Forms LoginUrl is incorrect
FormsAuthentication LoginUrl
Remove text onclick/onfocus event of @Html.TextArea