Redirecting URL Not Working

Question

I wanted to add authorization before accessing all web pages. So I have used the following configuration in web.config

<authentication mode="Forms">
   <forms loginUrl="~/Login/Login.aspx" />
</authentication>
<authorization>
   <deny users="?"/>
</authorization>

After this for every page Login.aspx asked, But after logged in successfully Redirection is not working with below code.

//http://localhost:55217/Login/Login.aspx?ReturnUrl=%2fHome%2fdeleteUser.aspx

if (returnMsg == "Success") {
    string query0 = Request.QueryString[0];
    finalStr = "~" + query0;
    Response.Redirect(finalStr, false);

    //Session["Login"] = username;
    //Response.Redirect("~/Home/Home.aspx");
    //Response.Redirect("/Home/HomeTest.aspx");
} else {
    StatusLabel.Attributes["style"] = "color:red; font-weight:bold;";
    StatusLabel.Text = "Error: Username or Password Wrong";
}

It is staying on the Login page again asking for credentials. But not showing error "Error: Username or Password Wrong"

Any ideas why it is not working?

Answer 1

If you are using Forms authentication you need to create an authentication cookie if authentication is successful. Otherwise the ASP.NET subsystem will not know that the authentication was successful.

See this article: https://support.microsoft.com/en-us/kb/301240

Here is the relevant text from this article:

4.You can use one of two methods to generate the forms authentication cookie and redirect the user to an appropriate page in the cmdLogin_ServerClick event. Sample code is provided for both scenarios. Use either of them according to your requirement.

•Call the RedirectFromLoginPage method to automatically generate the forms authentication cookie and redirect the user to an appropriate page in the cmdLogin_ServerClick event:

private void cmdLogin_ServerClick(object sender, System.EventArgs e)
{
if (ValidateUser(txtUserName.Value,txtUserPass.Value) )
    FormsAuthentication.RedirectFromLoginPage(txtUserName.Value,
        chkPersistCookie.Checked);
    else
        Response.Redirect("logon.aspx", true);
}

•Generate the authentication ticket, encrypt it, create a cookie, add it to the response, and redirect the user. This gives you more control in how you create the cookie. You can also include custom data along with the FormsAuthenticationTicket in this case.

private void cmdLogin_ServerClick(object sender, System.EventArgs e)
{
   if (ValidateUser(txtUserName.Value,txtUserPass.Value) )
   {
      FormsAuthenticationTicket tkt;
      string cookiestr;
      HttpCookie ck;
      tkt = new FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now, 
DateTime.Now.AddMinutes(30), chkPersistCookie.Checked, "your custom data");
      cookiestr = FormsAuthentication.Encrypt(tkt);
      ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);
      if (chkPersistCookie.Checked)
      ck.Expires=tkt.Expiration;    
            ck.Path = FormsAuthentication.FormsCookiePath; 
      Response.Cookies.Add(ck);

      string strRedirect;
      strRedirect = Request["ReturnUrl"];
      if (strRedirect==null)
            strRedirect = "default.aspx";
         Response.Redirect(strRedirect, true);
   }
   else
      Response.Redirect("logon.aspx", true);
}