none
Post Authentication URL Redirection RRS feed

  • Question

  • The parameter in the ReturnURL can be modified to redirect the user to any site. Thus, an attacker can redirect the user to a malicious site where valuable information could be exposed such as the user's cookie. How do we prevent this happening?

    Example: /_layouts/login.aspx?ReturnUrl=http://xyz.com

    The URL above will take user to the login screen. Once user authenticate, it will be redirected over to xyz.com site.

    I tried following .. but it doesn't work for me.

    <forms loginUrl="/_layouts/login.aspx" requireSSL="true" enableCrossAppRedirects="false" defaultUrl="/pages/home.aspx"/>


    Regards, Vasanth TT

    Thursday, May 9, 2013 8:03 AM

All replies

  • Hi,

    I understand that you want to redirect to home.aspx page after authentication. Here are two ways to achieve this:

    1. RedirectFromLoginPage(). This method creates the Forms Authentication Ticket, adds the encrypted cookie to the Response object, and redirects the user.
    2. Edit the defaultUrl property in web.config file to redirect  user. Make sure you have set the defaultUrl correctly.

    For more information, please refer to this site:

    Codesnip: Redirecting a User to a Specific Page with Forms Authentication: http://aspalliance.com/684_Codesnip_Redirecting_a_User_to_a_Specific_Page_with_Forms_Authentication

    Thanks,

    Entan Ming

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contacttnmff@microsoft.com.


    Entan Ming
    TechNet Community Support

    Friday, May 10, 2013 2:51 AM
    Moderator
  • Actually i don't want application to redirect cross application. I mean, i need only redirect pages in current application. If ?ReturnUrl=http://google.com I don't want my application to redirect to google.com after I signin.

    Regards, Vasanth TT

    Friday, May 10, 2013 5:52 AM
  • Hi,

    Thank you for your post.
    I'm trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thanks ,
    Entan Ming


    Entan Ming
    TechNet Community Support

    Friday, May 10, 2013 9:42 AM
    Moderator
  • Thanks Entan Ming.. Waiting for the support.

    Regards, Vasanth TT

    Friday, May 10, 2013 11:07 AM
  • What type of authentication are you using?
    Thursday, May 30, 2013 2:01 PM
  • Hi if you need further assistance in this regard, please open a support ticket with Microsoft
    Friday, May 31, 2013 11:26 PM