How can I change the name of the “ReturnUrl” parameter used by ASP.NET MVC?

Question

ReturnUrl is kind of ugly. I'd like to use redirect instead. How can I specify the name of the parameter that should be used for forms authentication redirect URLs in conjunction with the [Authorize] attribute? Or do I have to create an IAuthorizationFilter implementation? :(

Example:

[Authorize]
public class Tools : Controller
{
    public ActionResult Index()
    {
        return View();
    }
}

When a user who is not logged in visits http://example.com/tools , I'd like them to be redirected to http://example.com/account/logon?redirect=%2ftools , instead of the default http://example.com/Account/LogOn?ReturnUrl=%2ftools

For the /account/logon part, I can modify my routes in Global.asax and change

<authentication mode="Forms">
  <forms loginUrl="~/account/logon" timeout="2880" />
</authentication>

in web.config. But I don't know how to change the ReturnUrl parameter.

Answer 1

将此密钥添加到web.config的appSettings部分

<add key="aspnet:FormsAuthReturnUrlVar" value="redirect" />

Answer 2

The question and answers here seems to relate to the old form authentications stuff. On newer versions of MVC, eg MVC 5 (with Identity 2.0), you would do something like this in the Startup.Auth.cs :

app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/account/login"),
            Provider = new CookieAuthenticationProvider
            {
                // Enables the application to validate the security stamp when the user logs in.
                // This is a security feature which is used when you change a password or add an external login to your account.  
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
            },
            ReturnUrlParameter = "redirect"
        });

The important part is of course ReturnUrlParameter = "redirect" (can be anything). The rest might be different for your project.

Answer 3

Not the BEST solution around, but it works...

<rule name="FormsAuthentication" stopProcessing="true">
  <match url="^account/log(i|o)n$" />
  <conditions>
    <add input="{QUERY_STRING}" pattern="^ReturnUrl=([^=&amp;]+)$" />
  </conditions>
  <action type="Redirect" url="account/logon?redirect={C:1}" appendQueryString="false" />
</rule>

Answer 4

The problem here is that a redirect is not a post. It's a get. The only way to pass a variable on get is to use a query string parameter of some type. You can disguise this url rewrite but it's still a query parameter, and passed on the URL.

Perhaps you could be a little more clear about what you're looking for?

Answer 5

只需在以下键值对的appSettings部分添加web.config：

<add key="aspnet:FormsAuthReturnUrlVar" value="your-custom-parameter-name"/>

Answer 6

There is no way to change the name of the parameter using configuration because the "ReturnUrl" parameter name is hard-coded in the System.Web.Security.FormsAuthentication class, which is the class that is used for forms authentication, including redirects.

One way to achieve the desired result is to extend the Authorize attribute such that it redirects to the login page with your customized parameter name. Then depending on which additional methods from FormsAuthentication you use, you can modify those as well, in particular FormsAuthentication.RedirectFromLoginPage.

Answer 7

The parameter name can't be changed, which is annoying. I solved this by writing my own authentication module - you need to know how authentication works inside, but it's not hard - just look how it's done in reflector (and possibly simplify it, I ended up using only cookie encrypting/decrypting from FormsAuthentication).