tags:

views:

364

answers:

6
+1  Q: 

Find cause of Redirect in ASP.NET?

I'm trying to put in an exception in my web.config so that one page does not require authentication. However, it still redirects to the login page.

The question isn't how to setup the web.config. Why? Our system (for better or worse) has a bunch of instrumentation besides the web.config. We have global.asax and custom HttpHandlers. The code base isn't huge, but there's a lot of potential causes for the redirect.

What I do want to know is how to best determine the cause of the redirect. Is there some way to find out what code triggered the redirect?

A: 

Have you tried turning on Tracing? That may help.

How are you specifying the page doesn't require authentication, like:

<system.web>
...
</system.web>

<location path="NoAuthNeeded.aspx">
    <system.web>
        <authorization>
        <allow roles="*" />
        <allow roles="?" />
        </authorization>
    </system.web>
</location>
Gordon Bell  2008-11-18 18:43:47
Trace isn't terribly helpful since it only shows the page that is loaded AFTER the redirect was triggered. It doesn't tell you anything about the programmatic origin of the redirect.
Larsenal  2008-11-18 18:58:45
A: 

Doesn't the returnUrl querystring value contain any clues?

Cheers
Kev

Kev  2008-11-18 19:10:43
It's not much of a clue... it just shows the URL i was trying to navigate to.
Larsenal  2008-11-18 19:17:14
A: 

When a request is made to an asp.net page requiring authentication, asp.net redirects to the specified login page with supplying a ReturnUrl querystring argument identifying the original requested page by default. While this ReturnUrl is configurable, if you have not modified the configuration, it's presence should indicate that authentication failed.

In this case, you should be focused on troubleshooting the authentication settings for the page. Gordon Bell's answer looks good for this.

<system.web>
...
</system.web>

<location path="NoAuthNeeded.aspx">
    <system.web>
        <authorization>
        <allow roles="*" />
        <allow roles="?" />
        </authorization>
    </system.web>
</location>
HectorMac  2008-11-18 19:15:57
The situation is much more complicated than simply getting the web.config settings right. That's why I limited the scope of the question. I'll try to clarify the description.
Larsenal  2008-11-18 19:18:14
A: 

Put a breakpoint at the beginning of each HTTP handler and notice which one is the last invoked handler before the redirect occurs. You will probably find the cause of the problem in that one.

Jonas Kongslund  2008-11-18 19:36:26
+1  A: 

If you can debug the app, starting from HttpApplication.BeginRequest in global.asax and stepping through System.Web's reference source would be the brute force way.

Alternatively, set a breakpoint on HttpResponse.Redirect(string, bool) and follow the call stack - I doubt there's any other ways that the runtime uses to redirect a request.

If that doesn't turn anything up (or you can't debug), and since the brute force method is likely to lead through a lot of code - and it seems your problem is security related - you could probably just hook HttpApplication. AuthenticateRequest and HttpApplication. AuthorizeRequest, (and it's associated Post* events) and seeing what things look like there.

If you're using Forms Authentication, I happen to know that the FormsAuthenticationModule looks for a status code of 401 at HttpApplication.EndRequest to decide whether to redirect the request. Anything that sets 401 (access denied) will result in a redirect - not the 401 being returned to the browser.

Mark Brackett  2008-11-18 19:39:45
+1  A: 

Also, if this is only happening in your production app, you might be able to find out what is going on using WinDBG. Loosely following this article you'd do the following:

  • Fire up WinDBG and attach to the w3wp process
  • WinDBG will breakpoint, so do a .loadby sos mscorwks which will load the SOS module
  • type sxe clr to breakpoint on CLR exceptions
  • type g to continue on

Now your app will break on any exception. Since Response.Redirect typically throws a ThreadAbortException it might be a simple way to break. Then do a !printexception to get the stack trace. You can also do a ~*e!clrstack if my WinDBG foo isn't failing me to see the managed stack for all the threads currently executing.

Note that you freeze the w3wp process while you are broken in, so be quick!

Hopefully you can use another method instead, but if all else fails, this might help you get started.

Cory Foy  2008-11-18 19:49:15

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps