About

I'm Mike Pope. I live in the Seattle area. I've been a technical writer and editor for over 30 years. I'm interested in software, language, music, movies, books, motorcycles, travel, and ... well, lots of stuff.

Read more ...

Blog Search


(Supports AND)

Google Ads

Feed

Subscribe to the RSS feed for this blog.

See this post for info on full versus truncated feeds.

Quote

Patriotism is proud of a country's virtues and eager to correct its deficiencies; it also acknowledges the legitimate patriotism of other countries, with their own specific virtues. The pride of nationalism, however, trumpets its country's virtues and denies its deficiencies, while it is contemptuous toward the virtues of other countries. It wants to be, and proclaims itself to be, "the greatest", but greatness is not required of a country; only goodness is.

Sidney J. Harris



Navigation





<November 2017>
SMTWTFS
2930311234
567891011
12131415161718
19202122232425
262728293012
3456789

Categories

  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  
  RSS  

Contact

Email me

Blog Statistics

Dates
First entry - 6/27/2003
Most recent entry - 11/17/2017

Totals
Posts - 2460
Comments - 2563
Hits - 1,999,326

Averages
Entries/day - 0.47
Comments/entry - 1.04
Hits/day - 380

Updated every 30 minutes. Last: 8:04 PM Pacific


  11:20 PM

When you use membership security in ASP.NET Web Pages Razor, you can limit access to pages so that only logged-in users can see those pages. One way to do that, as explained before, is to add a test like the following to the top of a page (or to the _PageStart.cshtml page in the protected folder):

@{
if (!WebSecurity.IsAuthenticated) {
Response.Redirect("~/Login");
}
}
If the user isn't logged in, they're redirected to the Login page (in this case, in the site's root).

Nice, but then the user still has to find their way back to the page they originally wanted. Ideally, after the user has logged in, you send them back to the original page automatically. And because they're now logged in, the gatekeeper code lets them through.

The usual way to approach this is to include a return URL address when you redirect to the login page. You can add it as a query-string value to the login URL. Then in the login page, once the user has logged in ok, you can get that return URL and jump back.

Here's an updated version of the code from above with some logic to create a return URL:

if (!WebSecurity.IsAuthenticated) {
Response.Redirect("~/Login?returnUrl=" + Request.Url.LocalPath);
}
For a URL like the following:

http://localhost/members/info.cshtml

The Request.Url.LocalPath property returns this:

/members/info.cshtml

So the URL of the redirect to the Login page looks like this:

http://localhost/Login?returnUrl=/members/info.cshtml

The login page can then return to the original page using logic like this:

if(IsPost){
var username = Request.Form["username"];
var password = Request.Form["password"];
bool rememberMe = Request.Form["rememberMe"].AsBool();

 


// Various kinds of validations and checks for user
// existence here, then ...

 


if (WebSecurity.Login(username, password, rememberMe)) {
if(!Request.QueryString["returnUrl"].IsEmpty()){
Context.RedirectLocal(Request.QueryString["returnUrl"]);
}
else{
Response.Redirect("~/"); // Goes to site home
}
}
}
Notice that the redirection back to the original page is done with the Context.RedirectLocal method. You could use Response.Redirect. But Context.RedirectLocal makes sure that redirection is performed only if the return URL is local to the site. This helps prevent someone from hacking in a complete URL that would redirect to an external site in order to try to snatch authentication tokens or what have you.

If you happen to be using the Starter Site template in WebMatrix (v2 Beta or later), the login page already has this built in. In any page that you create where you want to let the user log in and then return, make sure you add a query string when you invoke the login page, and set returnUrl to the local path of the current page, as illustrated above.

[categories]   ,

[3] |