views:

242

answers:

1

I'm trying to secure my entire MVC site, so before the Home controller, I added an [Authorize] attribute.

Now if you run it from Visual Studio or navigate using the root URL (e.g. http://localhost:2897) it does redirect to the login page, as expected. However the URL in the address bar after redirection looks like this: http://localhost:2897/Account/LogOn?ReturnUrl=%2fdefault.aspx%3f

I haven't tested this out, seeing as I have not implemented my authentication code. However, this looks like a big problem to me, since I do not have a default.aspx in my project!

My authentication tag in the web.config looks like this:

<authentication mode="Forms">
   <forms loginUrl="~/Account/LogOn" defaultUrl="~/Home/Index" timeout="2880"/>
</authentication>

Why doesn't it pick up this route as the default ReturnUrl instead of default.aspx?

+2  A: 

ASP.NET (to be precise, FormsAuthentication.RedirectFromLoginPage) always ignores the defaultUrl setting in web.config when a ReturnUrl parameter is present. It's only honored when you go directly to the login page without passing any ReturnUrl parameters.

ASP.NET MVC project template provides a blank Default.aspx template to handle requests like that in IIS Classic pipeline mode. You should be fine with that.

Mehrdad Afshari
Hmmm .. guess I'm not asking my question correctly. I guess my real question is, how can I get it to set the ReturnUrl to be Home/Index instead of default.aspx? That is, when the person is navigating to the root URL, not a specific route. (If the person is navigating to a specific route, the ReturnUrl is correct.)
Cynthia
@Cynthia: I see your point. The problem is, in fact, the Web server tries to serve the default document when you request "/". The default template shipped with ASP.NET MVC *transparently* rewrites requests to "default.aspx" to "/" route *on the server* and tries to execute the action but since it requires authentication, it'll redirect the user to the login page using the current URL as the return URL (which is still `default.aspx`). Effectively, you get what you want (except getting `default.aspx` displayed in the address bar). You'll have less issues in integrated mode.
Mehrdad Afshari
OK, I tried it out and Default.aspx does go to the default controller/action. So .. nevermind! I thought it would bomb, but apparently not. Thanks!
Cynthia
If you're obsessed with that (not having `default.aspx` show up in the address bar), you should map the "/" route explicitly to a separate action method that redirects people to "Home/Index" without requiring authorization (with `return Redirect(...)` and adding a `MapRoute` call before the default one to handle the "/" request) and protect "Home/Index" with `[Authorize]`.
Mehrdad Afshari