What's a secure way to redirect to login.aspx?
Question
Right now I'm writing an ASP.NET web application from scratch, and I want all users that aren't logged in to be redirected to Login.aspx . Here's the code from my master page:
protected override void OnInit(EventArgs e)
{
base.OnInit(e);
if (this.Session["User"] == null && !this.Request.Path.EndsWith("Login.aspx")) {
Response.Redirect("Login.aspx", true);
}
}
However, I'm concerned that a potentially malicious user could browse the site (albeit with no data) by entering something like https://mywebsite.com/Default.aspx?id=Login.aspx . In the debugger it doesn't appear to contain the extra parameters but I'm wondering if there are any ways the user could manipulate this to view other pages. My question is, is it secure to use Request.Path like this?
2 answers
solution1
2 ACCPTED 2014-04-07 20:05:01
No need to reinvent the wheel, ASP.NET has such features built-in:
Look into form authentications
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH">
</forms>
</authentication>
</system.web>
solution2
1 2014-04-07 20:14:30
After making changes to web.config as suggested by @meda Try this.
if (!User.Identity.IsAuthenticated)
{
Response.Redirect("Login.aspx", true);
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.