1. Original Entry + Comments2. Write a Comment3. Preview Comment


May 08, 2012  |  Login redirection (and back) in ASP.NET Web Pages Razor  |  12453 hit(s)

When you use membership security in ASP.NET Web Pages Razor, you can limit access to pages so that only logged-in users can see those pages. One way to do that, as explained before, is to add a test like the following to the top of a page (or to the _PageStart.cshtml page in the protected folder):

@{
    if (!WebSecurity.IsAuthenticated) {
        Response.Redirect("~/Login");
    }
}

If the user isn't logged in, they're redirected to the Login page (in this case, in the site's root).

Nice, but then the user still has to find their way back to the page they originally wanted. Ideally, after the user has logged in, you send them back to the original page automatically. And because they're now logged in, the gatekeeper code lets them through.

The usual way to approach this is to include a return URL address when you redirect to the login page. You can add it as a query-string value to the login URL. Then in the login page, once the user has logged in ok, you can get that return URL and jump back.

Here's an updated version of the code from above with some logic to create a return URL:

if (!WebSecurity.IsAuthenticated) {
     Response.Redirect("~/Login?returnUrl=" + Request.Url.LocalPath);
}

For a URL like the following:

http://localhost/members/info.cshtml

The Request.Url.LocalPath property returns this:

/members/info.cshtml

So the URL of the redirect to the Login page looks like this:

http://localhost/Login?returnUrl=/members/info.cshtml

The login page can then return to the original page using logic like this:

if(IsPost){
    var username = Request.Form["username"];
    var password = Request.Form["password"];
    bool rememberMe = Request.Form["rememberMe"].AsBool();

    // Various kinds of validations and checks for user 
    // existence here, then ...

    if (WebSecurity.Login(username, password, rememberMe)) {
        if(!Request.QueryString["returnUrl"].IsEmpty()){
            Context.RedirectLocal(Request.QueryString["returnUrl"]);
        }
        else{
            Response.Redirect("~/"); // Goes to site home
        }
    }
}

Update (2018 Jul 29)  Someone has noted in the comments that in ASP.NET MVC (.NET Core 2.0+), RedirectLocal is a method on the base page, not on HttpContext, as it was when I wrote this. See the docs.

Notice that the redirection back to the original page is done with the Context.RedirectLocal method. You could use Response.Redirect. But Context.RedirectLocal makes sure that redirection is performed only if the return URL is local to the site. This helps prevent someone from hacking in a complete URL that would redirect to an external site in order to try to snatch authentication tokens or what have you.

If you happen to be using the Starter Site template in WebMatrix (v2 Beta or later), the login page already has this built in. In any page that you create where you want to let the user log in and then return, make sure you add a query string when you invoke the login page, and set returnUrl to the local path of the current page, as illustrated above.





Mark   15 Mar 13 - 11:39 PM

Thanks for this. It helped me understand it more and fix my application.

 
michael   23 Nov 14 - 2:41 PM

Thanks. concise and clear.
MichaelW. Isreal.


 
Anonymous   29 Jul 18 - 6:36 AM

I just wanted to update the code. PageModel now uses LocalRedirect instead of Context.RedirectLocal.

 
mike   29 Jul 18 - 9:28 AM

Updated. Thanks!