How do you solve the infinite login loop problem when you are using cookieless sessions and cannot change the name of login.aspx to a httphandler ?
i.e. When a user with admin rights hits the logout button and the return url to a restricted page is passed to login.aspx then another user without admin rights try's to login they get redirected back to the login page.
I have come across this solution but I cannot change the name of login.aspx to a http handler, and the isauthenticated function doesn't seem to work in the aspx page with cookieless auth because the forms auth ticket seems to be stripped from the url when redirected back to the login page.
EDIT:
Because this application is already in production I cannot alter the page flow of the login/logout/timeout process or rename the login page.
Check if the user is authorized to access the page in the returnUrl, after log in on the login.aspx page. You might use this method of the UrlAuthorizationModule (or a custom one if it works best for you):
System.Web.Security.UrlAuthorizationModule.CheckUrlAccessForPrincipal(
returnUrl,
userPrincipal,
GET");
If the user isn't authorized, just redirect to a page that the user can access.
To get the user Principal:
var roles = System.Web.Security.Roles.GetRolesForUser(username);
var principal = new System.Security.Principal.GenericPrincipal(
new System.Security.Principal.GenericIdentity(username),
roles
);
We had a similar problem, and I fixed it doing the following:
If "LogOut".Equals(e.CommandName) Then
FormsAuthentication.SignOut()
Response.Redirect("~/Login.aspx")
End If
And then in Login.aspx we change the PostBackUrl to Login.aspx if it contains a ReturnUrl parameter that sends the user back to Login.aspx.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With