tags:

views:

242

answers:

1
+1  Q: 

ReturnUrl = Default.aspx for MVC?

I'm trying to secure my entire MVC site, so before the Home controller, I added an [Authorize] attribute.

Now if you run it from Visual Studio or navigate using the root URL (e.g. http://localhost:2897) it does redirect to the login page, as expected. However the URL in the address bar after redirection looks like this: http://localhost:2897/Account/LogOn?ReturnUrl=%2fdefault.aspx%3f

I haven't tested this out, seeing as I have not implemented my authentication code. However, this looks like a big problem to me, since I do not have a default.aspx in my project!

My authentication tag in the web.config looks like this:

<authentication mode="Forms">
   <forms loginUrl="~/Account/LogOn" defaultUrl="~/Home/Index" timeout="2880"/>
</authentication>

Why doesn't it pick up this route as the default ReturnUrl instead of default.aspx?

+2  A: 

ASP.NET (to be precise, FormsAuthentication.RedirectFromLoginPage) always ignores the defaultUrl setting in web.config when a ReturnUrl parameter is present. It's only honored when you go directly to the login page without passing any ReturnUrl parameters.

ASP.NET MVC project template provides a blank Default.aspx template to handle requests like that in IIS Classic pipeline mode. You should be fine with that.

Mehrdad Afshari  2010-04-21 17:51:45
Hmmm .. guess I'm not asking my question correctly. I guess my real question is, how can I get it to set the ReturnUrl to be Home/Index instead of default.aspx? That is, when the person is navigating to the root URL, not a specific route. (If the person is navigating to a specific route, the ReturnUrl is correct.)
Cynthia  2010-04-21 17:55:37
@Cynthia: I see your point. The problem is, in fact, the Web server tries to serve the default document when you request "/". The default template shipped with ASP.NET MVC *transparently* rewrites requests to "default.aspx" to "/" route *on the server* and tries to execute the action but since it requires authentication, it'll redirect the user to the login page using the current URL as the return URL (which is still `default.aspx`). Effectively, you get what you want (except getting `default.aspx` displayed in the address bar). You'll have less issues in integrated mode.
Mehrdad Afshari  2010-04-21 18:03:41
OK, I tried it out and Default.aspx does go to the default controller/action. So .. nevermind! I thought it would bomb, but apparently not. Thanks!
Cynthia  2010-04-21 18:06:05
If you're obsessed with that (not having `default.aspx` show up in the address bar), you should map the "/" route explicitly to a separate action method that redirects people to "Home/Index" without requiring authorization (with `return Redirect(...)` and adding a `MapRoute` call before the default one to handle the "/" request) and protect "Home/Index" with `[Authorize]`.
Mehrdad Afshari  2010-04-21 18:07:38

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication