FormsAuthentication.RedirectFromLoginPage

[Andy Sutorius]

Hi,

For some reason the login.aspx webpage redirects to itself after a
successful login and not to the url in the address bar. I have stepped
through this with debug and it behaves as it is supposed to. What am I
overlooking? Try it.

http://www.sutorius.com/psyche
click the Administration link
username = user1
password = user1


private void cmdLogin_ServerClick(object sender, System.EventArgs e)
{
if (ValidateUser(txtUserName.Value,txtUserPass.Value) )


FormsAuthentication.RedirectFromLoginPage(txtUserName.Value,chkPersistCookie
..Checked);

else

lblMsg.Text = "Invalid Log in";

 

[Steve C. Orr [MVP, MCSD]]

It looks like you've forgotten to call SetAuthCookie.
Here's more info:
http://authors.aspalliance.com/aspxtreme/sys/Web/Security/FormsAuthenticationClassSetAuthCookie.aspx

 

[Guest]

Steve, doesn't the redirectfromloginpage call create the cookie for you?

Andy, I've also had this when my web.config is not set up correctly to deny
anonymous users and *allow* authenticated users.

Bill

 

[Andy Sutorius]

Steve,

I don't understand how adding setauthcookie has an effect on the redirect.

Andy

 

[Andy Sutorius]

Bill,

Thanks for that. I forgot to put in an allow. This is what my web.config
looks like now. And I am still getting the same response. I am attempting to
control access into a subdirectory from the web.config in the root folder.
Any other ideas?

<location path="admin" allowOverride="false">
<!-- <location path="admin" allowOverride="true"> -->
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>

 

[Guest]

Looks pretty good at first blush. Any chance there's a web.config in the
subfolder too (that would override the root)?

Also, per your comment above, I'll be anxious to read Steve's response. I've
been working through all this same stuff lately. To me, redirectfromloginpage
is one of those times where asp.net does *too* much to make it easy, so you
don't really understand what's happening underneath. Afaik, it combines
creating the cookie, creating the authentication ticket stored in the cookie,
persisting them or not, and redirecting to the requested page. You can do all
these yourself if you understand what's happening, and you're forced to do
that in cases I run into all the time, such as wanting to name the cookie
myself, keeping multiple cookies, playing with timeout values per user, etc.
Best discussion I've seen of all this is in Esposito's Programming ASP.NET
(best discussion of most *anything* is in that book). There's also a ton of
great stuff in this forum.

Bill

 

[Guest]

*This might be a double-post (having system trouble), but here goes (again):*

Looks pretty good at first blush. Any chance there's a web.config in the
subfolder too (that would override the root)?

Also, per your comment above, I'll be anxious to read Steve's response. I've
been working through all this same stuff lately. To me, redirectfromloginpage
is one of those times where asp.net does *too* much to make it easy, so you
don't really understand what's happening underneath. Afaik, it combines
creating the cookie, creating the authentication ticket stored in the cookie,
persisting them or not, and redirecting to the requested page. You can do all
these yourself if you understand what's happening, and you're forced to do
that in cases I run into all the time, such as wanting to name the cookie
myself, keeping multiple cookies, playing with timeout values per user, etc.
Best discussion I've seen of all this is in Esposito's Programming ASP.NET
(best discussion of most *anything* is in that book). There's also a ton of
great stuff in this forum.

Bill

 

[Andy Sutorius]

Bill,

Thanks for the extra eyes. In fact there is a web.config in the subfolder
with the same deny/allow so I took it out. Getting the same action though.
I've got something silly turned on/off, I just know it.

I like this article and related code:
http://www.theserverside.net/articles/article.tss?l=FormAuthentication

Andy

 

[Steve C. Orr [MVP, MCSD]]

It's behaving like the cookie isn't being set.
This is a way to explicitly set the cookie, so I thought it would be worth a
try. Then you can do a standard redirect and see if it works.