Defining a forms auth path erratically redirecting to ReturnUrl after logon_问答_开发者

Defining a forms auth path erratically redirecting to ReturnUrl after logon

开发者 https://www.devze.com 2023-02-04 12:28 出处：网络

I\'m having a very erratic problem with forms auth I\'m hoping someone can shed some light on. Here\'s what\'s in the web.config:

I'm having a very erratic problem with forms auth I'm hoping someone can shed some light on. Here's what's in the web.config:

<location path="Admin">
  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>
</location>

And for the auth:

<authentication mode="Forms">
  <forms loginUrl="~/Admin/LogOn.aspx" name="MyAppAdmin" requireSSL="false" path="/Admin" cookieless="UseCookies"/>
</authentication>

There's also a custom membership provider implementing ValidateUser against a credential repository. The app has a master page with a LoginName control.

What seems to be happening is that sometimes a user logs on successfully but the logon page remains rather than redirecting them to the ReturnUrl in the query string. We know they've successfully authenticated because the LoginName control shows their identity and they can always browse off to other secured content.

Unfortunately we can't identify the pattern which causes this. Different browsers, different servers, removing co开发者_开发知识库okies, SSL or no SSL; there's no discernible pattern. The only thing which is clear is that after removing the "path" attribute from the forms node the problem couldn't be reproduced.

Is there anything obviously wrong with this configuration? Any thoughts on a possible cause? Obviously the path attribute isn't essential but it's nice to isolate things a bit further.

So I actually found the answer for this right before clicking the submit but have put it in for the sake of having the info on SO. Rick Strahl actually nailed it in this post; it's a case sensitivity problem.

Basically, if you hit "/admin" it redirects you to "/Admin/LogOn.aspx?ReturnUrl=%2fadmin%2fdefault.aspx" then after authentication the cookie is set against the path "/Admin" (defined in the web.config), then you're redirected to "/admin/Default.aspx". The path comparison is case sensitive therefore you're not being identified as authenticated so you're looped back around to the form.

The reason my results were erratic was due to some people manually typing "Admin" and others typing "admin". I wasn't next the the guys doing this and it all sounded just fine over the phone.

Simple answer; get rid of the path attribute. It's too much trouble unless you have absolute confidence the case won't change.