ASP.net forms authentication setting returnURL on a link when user is already logged in

1
votes

I have a asp.net website which uses forms authentication. When i provide a link to a secure page on the website in a Microsoft Word document it sets a return URL even when i'm already logged in to the website. This means i am redirected to the login page which then directs me to the unauthorised access page even though i am authorised to see the page.

My web.config code:

<authentication mode="Forms">
  <forms protection="All" requireSSL="true" name="BSOAuthCookie" loginUrl="~/Login/Login.aspx" defaultUrl="~/secure/securepage.aspx" cookieless="UseCookies" timeout="30" />
</authentication>

This is the code in the page load of my login page to redirect me to the unauthorsied access page:

        If Request.IsAuthenticated AndAlso Not String.IsNullOrEmpty(Request.QueryString("ReturnUrl")) Then
            ' This is an unauthorized, authenticated request...
            Response.Redirect("~/UnauthorisedAccess.aspx")
        End If

If i put the same link in an email and i click it appears to work fine.

1
asp.netforms-authenticationreturnurl

1 Answers

1
votes

Using the requireSSL="true" you force the authenticated cookies to be readable only on secure page, any unsecured page is not pass the authentication.

Add this assertion on your code and before the IsAuthenticated to double check that you are call from secure page.

Debug.Assert(HttpContext.Current.Request.IsSecureConnection
                                                  , "Must be on secure page");

Also set the domain="sitename.com", with out the www, to force the authendicated cookie to be set from both domain and subdomain.

<authentication mode="Forms">
  <forms domain="sitename.com 
        protection="All" requireSSL="true" name="BSOAuthCookie" 
        loginUrl="~/Login/Login.aspx" defaultUrl="~/secure/securepage.aspx" 
            cookieless="UseCookies" timeout="30" />
</authentication>