tags:

views:

268

answers:

3
+4  Q: 

Bypassing forms authentication when a query string is passed

In ASP.Net, is anyone aware of a way to bypass Forms Authentication if a specific query string parameter is passed in?

Such as:

mydomain.com/myprotectedpage.aspx

...I would like to be protected by Forms Authentication (and so, redirected to login page)

mydomain.com/myprotectedpage.aspx?myBypassParameter=me

...I would like the page to render as normal

Is this at all possible?

+3  A: 

Not really any "official" way of doing it.

You could do what I do, is have a base page instead of system.web.ui.page like so:

Public MustInherit Class ProtectedPage
Inherits System.Web.UI.Page

Private Sub Page_InitComplete(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.InitComplete
    If User.Identity.IsAuthenticated = False Then
        If String.IsNullOrEmpty(Request.QueryString("myBypassParameter")) Then
            FormsAuthentication.RedirectToLoginPage()
        End If
    End If
End Sub

End Class

Rick Ratayczak  2010-01-19 19:00:47
Thanks, I'd hoped for some magic solution, but this is probably going to be the best option.
Paul  2010-01-19 19:30:54
A: 

Hi, In your code behind, you could simply use Request.QueryString["myBypassParameter"] and check its value. If it's an invalid value, then use FormsAuthentication.RedirectToLoginPage or a custom redirect to put the user back at the log in page. However, this doesn't seem like a secure method of protecting a page. What if someone got hold of the specific parameter and managed to gain access to your protected page? Also, you want to make sure that the QueryString value is valid (maybe by a regular expression) to ensure the user hasn't passed malicious code which will then be read by your application.

keyboardP  2010-01-19 19:01:58
You're correct that your answer doesn't seem very secure.
John K  2010-01-19 19:05:33
Is that the reason for the downvote? For explaining how it's done, but recommended against?
keyboardP  2010-01-19 19:06:53
Can't really fault the response though. The insecurity lies with the request, not the solution.
Joel Etherton  2010-01-19 19:07:26
A: 

You might be able to jam some quick code into the Application_AuthenticateRequest event. You could then test for the parameter and adjust the User.Identity as necessary to allow the page. You'd have to put in a page check as well to make sure it didn't allow this behavior on all restricted pages.

I wouldn't recommend this design as an approach though. If you need to have a protected area accessed in an anonymous fashion, it'd be better to put all of your functionality into a UserControl and then use a protected/unprotected version of a parent page. This would allow you to control what goes out and when.

Joel Etherton  2010-01-19 19:06:01

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps