Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ASP.NET PostBackURL executes before login validation

Posted on 2012-09-04
11
Medium Priority
?
1,174 Views
Last Modified: 2012-09-24
Hi, Experts -
I have a simple Default.aspx login panel that prompts for a network Login ID and Password combination - and validates them against our company Active Directory.  It worked fine...until I inserted this line into the LoginButton control: PostBackURL="~/sso.aspx".
<p class="submitButton">
     <asp:Button ID="LoginButton"
          runat="server"
          CommandName="Login"
          Text="Log In"
          PostBackUrl="~/sso.aspx"
          ValidationGroup="LoginUserValidationGroup"/>
</p>

Open in new window

I want the validated Login ID and Password values to be passed to the sso.aspx page and this was what I came up with.  Well - it DOES pass the values but unfortunately it does not authenticate the ID/Password combination against our AD before doing so...Not good!

QUESTION:  How can I have the Default.aspx complete its validation first - and then post the values to sso.aspx?

I'm an ASP.NET noob - and would GREATLY appreciate any insights you can provide.

Many thanks in advance!
Jeff (aka OGSan)
0
Comment
Question by:OGSan
  • 7
  • 3
11 Comments
 
LVL 18

Expert Comment

by:Rajar Ahmed
ID: 38368740
either Postbackurl or click event both is not possible in asp.net .

But if the motive is just for navigation you very much use Response.redirect on click event codebehind and removing the postbackurl from the markup .
Response.Redirect("navigationpage.aspx");

Open in new window

0
 
LVL 1

Author Comment

by:OGSan
ID: 38369674
I'm using the built-in login authorization structures - so I don't even see an OnClick event in the code anywhere associated with the LoginButton as seen in the snippet of code in my original post above.  I wish I knew what was in the CommandName="Login" - but that's not visible either.  :-(

I'm willing to override the built-in structures and build my own - but I'm not sure where to begin.  I don't want to break what's working - I just need to pass the authenticated Login ID value to another page.  Is there a simple way I can do this?
0
 
LVL 1

Author Comment

by:OGSan
ID: 38370176
OK - now I'm trying to use the OnLoggedIn event and have updated the Default.aspx.cs code-behind with Lines 17-20 below:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Configuration;
using System.Text;

namespace SSO
{
    public partial class SSODefault : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
        }
        protected virtual void OnLoggedIn(EventArgs e)
        {
            Response.Redirect(sso.aspx(LoginUser.UserName));
        }
    }
}

Open in new window

But I get an error, "The name 'sso' does not exist in the current context."  Is there a way I can get around this error?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 9

Expert Comment

by:darjimaulik
ID: 38370849
Hi
It should be
Response.Redirect("~/sso.aspx?user=" + LoginUser.UserName);

Open in new window



Response.Redirect takes URL as a parameter. The URL Should be in String Format.

"~/" in Path means the sso.aspx file is at Root folder of the Application.
if sso.aspx is inside admin folder then patch would be
"~/admin/sso.aspx"

?user is a querystring passed to next page. or if the login is successful you can store the username in session.
0
 
LVL 1

Author Comment

by:OGSan
ID: 38370985
Thanks, darjimaulik - great explanation!  I've made the change to my Default.aspx.cs - and then tried to insert this into the Page_Load event on the receiving page, sso.aspx.cs:
            Response.Write(GenerateForm(Request.QueryString().ToString));
But I get a squiggly line underneath QueryString with the error message, "Non-invocable member 'System.Web.HttpRequest.QueryString' cannot be used like a method."
What the heck does THAT mean?

All I'm trying to do is retrieve the value passed in the QueryString, and use it in the GenerateForm routine.
0
 
LVL 9

Expert Comment

by:darjimaulik
ID: 38370989
You can not use Request.QueryString().ToString.

Request.Querystring is a collection.
You need to mention the string variable in the bracket to get its value.

like

this.txtBox1.Text = Request.QueryString["Name"];
this.txtBox2.Text = Request.QueryString["LastName"];
0
 
LVL 1

Author Comment

by:OGSan
ID: 38371023
Thanks, darjimaulik - But there still seems to be no AD authentication going on.  The Default.aspx lets me enter an invalid password value and the Response.Redirect still occurs.  :-(
In addition - I added in a little textbox in the sso.aspx program to display the value being passed from Default.aspx, but nothing ever appears in it.  :-(
Here is my Default.aspx.cs:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Configuration;
using System.Text;

namespace SSO
{
    public partial class SSODefault : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
        }
        protected virtual void OnLoggedIn(EventArgs e)
        {
            Response.Redirect("~/sso.aspx?user=" + LoginUser.UserName);
        }
    }
}

Open in new window

And here is the sso.aspx.cs (I've commented out Line 20 (which is where the UserName value is used in the GenerateForm routine - and instead just display the passed value in a textbox...but nothing ever appears there):
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Configuration;
using System.Text;

namespace SSO
{
    public partial class SSO : System.Web.UI.Page
    {
        public new bool Error { get; set; }
        public string ErrorDescription { get; set; }

    protected void Page_Load(object sender, EventArgs e)
        {
        TextBox1.Text = Request.QueryString["user"];
        //  System.Web.HttpContext.Current.Response.Write(GenerateForm(Request.QueryString["user"]));
        }
    
    public string GenerateForm(string userId)
        {
        StringBuilder sbForm = new StringBuilder();
        //get base url and all other URLs
        string acct = ConfigurationManager.AppSettings.Get("acct");
        string ssoURL = ConfigurationManager.AppSettings.Get("baseURL");
        string ouId = ConfigurationManager.AppSettings.Get("ouId");
        string logoutURL = ConfigurationManager.AppSettings.Get("logoutURL");
        string timeoutURL = ConfigurationManager.AppSettings.Get("timeoutURL");
        string errorURL = ConfigurationManager.AppSettings.Get("errorURL");
        string destURL = ConfigurationManager.AppSettings.Get("destURL");

        //get the encrypted token

        string encryptedToken = WCyberu.GetSecurityToken(acct, userId, string.Empty, logoutURL, timeoutURL, errorURL, destURL);
        if (Error)
        {
            if (!string.IsNullOrEmpty(errorURL))
            {
                sbForm.AppendLine("<html>").AppendFormat("<body onload=\"window.location.href='{0}';\">", errorURL);
                sbForm.AppendLine("</body>").AppendLine("</html>");
            }
            else
            {
                sbForm.AppendFormat("<html><body><p>{0}</p></body></html>", ErrorDescription);
            }
        }
        else
        {
            sbForm.AppendLine("<html>").AppendLine("<body onload=\"document.forms[0].submit();\">");
            sbForm.AppendFormat("<form method=\"POST\" action=\"{0}\">", ssoURL).AppendLine();
            sbForm.AppendFormat("<input type=\"hidden\" name=\"key\" value=\"{0}\"/>", encryptedToken).AppendLine();
            sbForm.AppendFormat("<input type=\"hidden\" name=\"ouid\" value=\"{0}\"/>", ouId);
            sbForm.AppendLine("</form>").AppendLine("</body>").AppendLine("</html>");
        }
        return sbForm.ToString();
        }
    }
}

Open in new window

0
 
LVL 9

Expert Comment

by:darjimaulik
ID: 38371032
Where is the code which checks the username and password in AD?
The Steps would be.
User enters username and password.
Clicks on Submit/Login button.
Code checks if the user is authenticated. (I dont see the code for this)
If Authenticated then it should be redirected to userpage
if not authenticated then it should be redirected to login page or login failure page.

Find details in below mentioned link.

http://support.microsoft.com/kb/316748

http://stackoverflow.com/questions/290548/c-sharp-validate-a-username-and-password-against-active-directory

http://stackoverflow.com/questions/778990/generic-authentication-call-to-active-directory-in-c-sharp
0
 
LVL 1

Author Comment

by:OGSan
ID: 38373735
Hi, darjimaulik - I'm using the built-in login function whose set-up is described at Chris Towls' Blog site.
This works just fine - but I ran into the problem of needing to pass the authenticated UserName to the sso.aspx page.  Using PostBackURL - the sso.aspx page would work as expected and would open the external site using the UserName passed to it from the Default.aspx page.  But I discovered that the AD authentication was not checking for a valid password value - it was only checking for the presence of a non-blank value in the password textbox.
That's when I posted my original question above and tried using the Response.Redirect approach.  But this does not seem to pass a UserName value at all...plus there still does not seem to be any validation of the password entry.
Thanks for hangin' with me on this problem.
0
 
LVL 1

Accepted Solution

by:
OGSan earned 0 total points
ID: 38416248
I obtained assistance from a colleague and we found a work-around to my problem:
It seems that the PostBackURL was causing the AD authentication to be bypassed.  So, we removed the PostBackURL as well as the ValidationGroup from the asp:Button definition on the Default.aspx page.  We then added in an OnClick action.
Then, in the Default.aspx.cs code-behind, we invoke the automated validation routine "manually" by inserting this into the LoginButton_Click class:
// Validate the user against the Membership framework user store - If valid - transfer control to sso.aspx  
            if (Membership.ValidateUser(LoginUser.UserName, LoginUser.Password))
            {
                Server.Transfer("~/sso.aspx");
            }

Open in new window

Everything is now working as it should.
0
 
LVL 1

Author Closing Comment

by:OGSan
ID: 38428024
Found a solution with the help of a friend.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses the ASP.NET AJAX ModalPopupExtender control. In this article we will show how to use the ModalPopupExtender control, how to display/show/call the ASP.NET AJAX ModalPopupExtender control from javascript, how to show/display/cal…
In .NET 2.0, Microsoft introduced the Web Site.  This was the default way to create a web Project in Visual Studio 2005.  In Visual Studio 2008, the Web Application has been restored as the default web Project in Visual Studio/.NET 3.x The Web Si…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question