Reputation: 5488
ASP.NET Strange Behaviour
My Register Page is only available to authenticated users, so anyone typing http://localhost:52874/register.aspx will not be able to get to it.
But I have a link to it from the login page, and when clicked it DOES go to the register page without auth using Server.Transfer("Register.aspx", false);
Now that is something that I like, it means it can only be gotten to from the Login.aspx page, which is good.
But, when I press the Submit button on the register page (after the transfer from login.aspx), it puts me back instantly to login.aspx without any processing.
Then I have to add :
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
To the web config to allow it to work, which means now its accessible by url. So why this behaviour, why allow me to go to it using Server.Tranfer yet not let me process the button click?
Upvotes: 0
Views: 162
Answers (4)
Reputation: 18549
From MSDN:
ASP.NET does not verify that the current user is authorized to view the resource delivered by the Transfer method. Although the ASP.NET authorization and authentication logic runs before the original resource handler is called, ASP.NET directly calls the handler indicated by the Transfer method and does not rerun authentication and authorization logic for the new resource. If your application's security policy requires clients to have appropriate authorization to access the resource, the application should force reauthorization or provide a custom access-control mechanism.
So it is by design that Server.Transfer("Register.aspx", false); doesn't authenticate in your scenario.
I think anyone should be able to see the Register page - the user should be able to get there via the URL. Therefore, ensure the Register page is available to unauthenticated users with the web.config file change you outline.
Upvotes: 0
Reputation: 2344
If you watch the browser address bar when you do a Server.Transfer the URL does not change - this is because it stops processing of the current page and starts processing the new one without the browser being aware of it. Hence it bypasses authentication until you postback ie button click at which point it sends you back to the login.
What you should be doing is a Response.Redirect which will change the URL and the authentication will happen correctly.
Upvotes: 1
Reputation: 2528
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx - Check out this article about the Membership provider. It may help :)
If you only way users to access the page after logging in you might need deny user="?" which will deny anon users access to that page.
Upvotes: 0
Reputation: 7636
It's because Server.Transfer transfers processing of the current request to a different page. This happens after the check to see if you have access to the requested page. I.e. when using Server.Transfer the request was for a page that you have access to, however you circumvented the security by passing on processing of that page to the page that you do not have access to.
Check out Server.Transfer Vs. Response.Redirect
Upvotes: 0
Related Questions
- Forms authentication not working as expected
- ASP.NET Authentication
- Troubles with Forms Authentication
- Forms Authentication won't Work
- Forms authentication issue
- FormsAuthentication Behaving odd
- IsAuthenticated is false! weird behaviour + review question
- ASP.NET Forms Authentication authenticates in localhost server, but not on the web server
- Forms authentication issue in ASP.NET
- asp.net forms authentification security issues