Forms Authentication - Redirect Back to Original Domain

0
votes

Example:

Application = https://test2.mytest.com/MyApplication/Download.aspx

The application has forms authentication enabled in the web.config:

<authentication mode="Forms">
  <forms loginUrl="https://test.mytest.com/Login/" name=".ASPXAUTH"/>
</authentication>
<authorization>
  <deny users="?"/>
</authorization>

When accessing the application it correctly redirect to the login page:
https://test.mytest.com/Login/?ReturnUrl=%2fMyApplication%2fDownload.aspx

However, after successfully logging in it goes to:
https://test.mytest.com/MyApplication/Download.aspx
instead of
https://test2.mytest.com/MyApplication/Download.aspx

It is using the sub-domain of where the login application is (test.mytest.com), not the sub-domain of the original request (test2.mytest.com). Is there anyway to have forms authentication redirect back to the original requesting sub-domain instead of the sub-domain that the login app is on?

Any help on this would be greatly appreciated.

1
asp.netredirectloginforms-authenticationsubdomain

1 Answers

2
votes

Yes it is certainly possible, but you'll need to make changes on both the authenticating sub domain and the sub domain requiring authentication.

The sub domain requiring authentication.
The issue you're having is that when an anonymous user attempts to access a secured resource ASP.NET forms authentication redirects them to the login page and appends the original requested resource in the "ReturnURL" query string but this ReturnURL parameter is a relative URL.

So to get this to work in the way you want, you'll need to manipulate the ReturnURL parameter to indicate in some way that the return is to a different site.

One way to do this is to manipulate the ReturnURL using an HttpHandler to hook into the PostAuthenticateRequest, as detailed in this article, Forms Authentication With Absolute Return URLs.

The authenticating sub domain
To enable redirection to the calling subdomain you'll need to set the enableCrossAppRedirects attribute to "true" in the forms section of the web.config to allow redirection to a URL in another web application. Be aware of the implications of this though as it leaves you open to open redirection attacks.

An alternative and more secure approach to just setting the sub domain address directly on the ReturnURL (helping prevent open redirection attacks) is to modify the ReturnURL to contain a known parameter in the querystring and then modify the Application_EndRequest in the global.asax.cs of the authenticating subdomian as mentioned here and here to rewrite the Response.RedirectLocation.