Unsecure posting back from an asp.net control on a secure page while avoiding authentication

Question

We are using standard asp.net forms authentication. Certain pages require a user to be logged in; and least some of these pages are delivered by https. There is a search control at the top of each page. When this is used, we don't care whether the user's session has expired, even if the current page requires a log in.

However, currently, when performing the search, the built-in forms authentication sees that the page being posted to requires authentication and redirects the user to the login page, with the previous page, not the search results page as the referrer.

What is the best way of bypassing the security here? I have considered posting to a different page using the PostBackUrl property, but if this is not https you get the "you are posting data to an unsecure connection" message, which users don't like.

Thanks for any help.

Edit: thanks Nick for your suggestion of using a GET on the search page. We are doing this already, but the query string is constructed by the search input control then redirects. How can we build up the query string without using a postback? (Obviously javascript is an option but I was hoping to find an alternative mechanism.)

Answer 1

For the search page you want to make sure the search is happening via a GET request. (i.e. like google with the "q" in the query string) Chances are you are doing a POST.

So change your

<form method="post" ...>

to

<form method="get" ...>

The biggest mistake most developers make with search pages is to do a post back. HTTP was designed to do queries or searches through the query string (thus the name), and to get a form to post to a query string instead of the body you need to use a "GET" method. This way any search device can use your search page, even the browsers search box.

Second you want to create a special location config for you search page. You add this to your web.config.

<location path="my-search-page.aspx">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>

This creates a special override for that one page and everything inside the location tag uses the exact same web.config structure to override the web.config.

You will want to repeat this for each page you want to allow all users to.

Answer 2

If the search results page is performing a postback the pageload event will be fired before your search button is clicked.

So if the page they are on required a login that login command will be run before the search button click event sending them back to the login screen.

There are a few ways round this make the search a normal html form and make itperform a GET not a POST and mentioned by "Nick"

Ort if the whole page is inside a .net postback form you will need to add the search button event to a overload of the page load so it fires first.

This site has a good article on the page like cycle and its overrides. http://www.15seconds.com/issue/020102.htm

Answer 3

As suggested in other answers the most correct way to do this would be to have the search input control in a separate form which has a method of get and an action of searchresults.aspx. However this is difficult with aspx as you can only have one server-side form on a page.

In the end the solution I came to, which works very well, was to have an HttpModule that spotted if the "search" button had been clicked (by looking to see if a param with its id existed) then built up a query string by looking for the criteria params and redirected to the search results page. This means that all the authentication / authorisation modules are bypassed as we have already called a redirect to the (unsecured) search results page before they are triggered.

It's slightly brittle but for us it works very well.