RedirectFromLoginPage never returns to original page

[Edward Mitchell]

I have a main project that is protected in that the user is directed to a
login.aspx file.

The text in the web.config file is:

<authentication mode="Forms">
<forms loginUrl="Login.aspx" />
</authentication>

<authorization>
<deny users="?" /> <!--deny unauthorized users -->
<allow users="*" /> <!-- Allow all authorized users -->
</authorization>

When the user enters email/password and is authenticated, control is
transferred back to the main page via the line in the Login.aspx file:

if(Authenticate(EMail.Text, Password.Text)) {
// return to the original page
FormsAuthentication.RedirectFromLoginPage(EMail.Text, false);
}
else {
Output.Text = "Invalid Login";
}

Authenticate is my routine.

This all works as it should.

I also have a second project that is going to allow editing of the main page
info. This is contained in the solution but placed in a subdirectory to the
main project. In there I have a web.config file that just identifies the
login.aspx file in the parent directory so:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="../Login.aspx" />
</authentication>
</system.web>
</configuration>

Again when I start the second project I am transferred to the login.aspx
file in the parent folder. I enter the credentials and when I step through
the code, the FormsAuthentication.RedirectFromLoginPage(...) routine is
called.

My problem is that the Login.aspx page is recycled. Control doesn't return
to my secondary project in the child folder it just keeps on showing the
Login page.

If I look at the browsers address line for the login page:

http://localhost/OnLineReg/Login.aspx?ReturnUrl=/OnLineReg/DisplayRegInfo/DisplayRegInfo.aspx

it has the correct return address of the page in the subfolder
"DisplayRegInfo" in the ReturnUrl= argument.

Can anyone suggest if I am doing anything obviously wrong?

Ed

 

[William F. Robertson, Jr.]

You probably have your second project configured as an application in IIS.

bill

 

[Edward Mitchell]

I'm pretty sure that when I created the project it was C# with the Web
Application icon chosen. However, I can't find any reference in the Project
Properties that would tell me this.

However, assuming it is a web application, can I make it work? Do I have to
start off creating the project from scratch and if so, what do I chose for
the project type?

Is there any documentation for this?

Ed

 

[Steven Cheng[MSFT]]

Hi Edward,

The problem you encountered is actual caused by some combined factors. here
is some of my suggestions:

1. Each ASP.NET Web application is hosted in an IIS folder which configured
as Application. So if you make your subfolder as Application, that
subfolder become a separate application from its parent virutal dir's
application. I don't think this is what you want, so you need to remove the
"Applciation" in the subfolder.

2. The <authentication> element is per-application based ,so each
application can have only one <authentication> element in the main
web.config. However, we can have multiple
<authorization> element to define different protection rules for different
paths in our web application. So currently you have two options to resolve
your problem:

1) Still use a sub web.config in your sub dir(must remove that subdir as
Application), and also remove the <authentication> element in it, just put
your <authorization> setting in sub dir's web.config.

2)Use the <location> element in your main web.config to specify different
<authorization> settings for different paths:

#Hierarchical Configuration Architecture
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconhierarchicalconfig
urationarchitecture.asp?frame=true

If anything unclear, please feel free to post here.

Thanks & Regards,


Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Edward Mitchell]

I made some more experiments. When I first visit the line in Login.aspx.cs:

FormsAuthentication.RedirectFromLoginPage(EMail.Text, false);

Page.Context.User.Identity contains the empty string for AuthenticationType
and Name and IsAuthenticated is false. If I step through this routine call
with the debugger the Page.Context.User fields don't change. Then control
leaves my Login.aspx.cs file (debugger stepwise) but the Login.aspx page
again shows up in the browser.

If I push the Login button again and the second time around the code in the
Login.aspx.cs file I break at the same point. Now the debugger QuickWatch
window shows that Page.Context.User.Identity has IsAuthenticated as true,
the AuthenticationType is "Forms" and the Name is correct. Something did
the right thing on leaving the LoginButton_Click(...) event to no avail.

But I'm still in the Login.aspx page and will go back to the same breakpoint
when I hit the login button again.

In both the above debug breaks, I examined the expression directly in the
QuickWatch window to find out where we were supposed to go back to::

FormsAuthentication.GetRedirectUrl("name", false)

and this gave the correct return URL to the page that I am trying to go back
to.

The problem is that it won't return and leave the Login page even though it
looks like the user is now supposedly authenticated.

Since the "RedirectFromLoginPage" is system code, I am unable to step within
is to see what is really supposed to be happening.

Ed

 

[Edward Mitchell]

Steve,

I removed the Web.Config file from the subdirectory and added a <location>
tag to the root Web.Config. There is now a single <authentication
mode="Forms"> tag and two tags for the <authorization...>. This is the text
in my single Web.Config file:

<configuration>
<system.web>
...
<authentication mode="Forms">
<forms loginUrl="Login.aspx" />
</authentication>

<authorization>
<deny users="?" /> <!--deny unauthorized users -->
<allow users="*" /> <!-- Allow all authorized users -->
</authorization>
...
</system.web>
<location path="DisplayRegInfo">
<system.web>
<authentication>
<forms loginUrl="../Login.aspx" />
</authentication>
<authorization>
<deny users="?" /> <!--deny unauthorized users -->
<allow users="*" /> <!-- Allow all authorized users -->
</authorization>
</system.web>
</location>
</configuration>

I found that I had to define the loginUrl as "../Login.aspx" in the location
since it appears that the path is relative to the page being authenticated.
I could use a forward slash or backslash to define the parent directory.

However, I still see the same behavior. My login.aspx file finds the user
and then does the

FormsAuthentication.RedirectFromLoginPage(EMail.Text, false);

but the login.aspx page is continually recycled. Control never goes back to
the original page.

Is the only way out of this to put all the pages in the same top-level
directory?

Ed

 

[Steven Cheng[MSFT]]

Hi Ed,

Have you also change your sub directory to a normal folder (from an
"APPLICATION" virtual dir)? That's the key point, we can't make a sub
folder as another separate application in IIS if they're actually the same
asp.net application.

Thanks.

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Edward Mitchell]

Steve,

It turned out that I hadn't made the subdirectory within my virtual
directory a virtual directory of it's own. I noticed in IIS that the
virtual directories have a their own icon compared to a lowly folder. When
I made the sub-folder a virtual directory, I was able to startup using the
Login.aspx in the parent directory and return to the page in the
subdirectory.

I finished up putting all my files in one directory rather than mess with
the sub-folders.

Thanks for the feedback.

Ed

 

[Steven Cheng[MSFT]]

Good!

Glad that you've figured it our.
Have a nice day!

Cheers,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)