当前位置: 文江博客话题详情

当存在多个重定向时,如何在 ASP.NET 中获取引用 URL?

发布于 2024-07-17 10:46:12 字数 944 浏览 6 评论 0原文

我正在开发一个使用内部 SSO 服务器进行身份验证的 Web 应用程序。 我的主页上有一个名为 Logout.aspx 的页面的链接。 Logout.aspx 清除表单身份验证 cookie、所有会话数据,然后执行重定向到表单身份验证配置中指定的 LoginUrl(当前设置为名为 Login.aspx 的页面)。

但是,当加载 Login.aspx 时,系统会尝试使用先前颁发的 SSO 身份验证票证对 SSO 服务器隐式地重新验证用户的身份。 如果此票证仍然存在,则先前的用户将重新登录并返回主页。 我想确定,当登录页面加载时,请求是否是通过注销页面发出的。 请求的 UrlReferrer 属性仍然引用 Home.aspx,大概是因为这是客户端请求的最后一个 url。

目前,我有一个解决方法,将查询字符串变量附加到注销页面的请求中,指示登录页面不要执行隐式登录,而是提示用户输入凭据。 如何以编程方式确定请求是否来自注销页面的重定向?

编辑 29/04/2009:

在与 jellomonkey 交谈之后,我应该指出,SSO 服务器与使用网站的本地表单身份验证之间的交互与当前的问题并不直接相关。 简而言之,我的问题是:

  1. 用户单击 Home.aspx 中的 HTML 超链接,将其带到 Logout.aspx
  2. Logout.aspx 的 Page_Load 事件处理程序清除表单身份验证票证和会话数据,并将用户重定向到 Login.aspx
  3. 的 Login.aspx Page_Load 事件检查 Request 对象的 UrlReferrer 属性以确定请求是否来自注销页面。 但是,在通过 Logout.aspx 重定向而来的请求中,Request 对象的 UrlReferrer 属性是 Home.aspx。

为什么是这样? 为什么 UrlReferrer 是 Home.aspx 而不是 Logout.aspx?

原文

I'm developing a web application that uses an in-house SSO server for authentication. I have a link on my home page to a page called Logout.aspx. Logout.aspx clears the Forms Authentication cookie, all session data, then performs a redirect to the LoginUrl specified in the forms authentication configuration which is currently set to a page called Login.aspx.

However when Login.aspx loads, an attempt is made to implicitly reauthenticate the user against the SSO server using the SSO authentication ticket which was previously issued. If this ticket still exists, the previous user will be logged back in and sent back to the home page. I want to determine, when the Login page loads, whether the request has come via the Logout page. The UrlReferrer property of the request still references Home.aspx, presumably because this was the last url the client requested.

Currently I have a workaround in place whereby I append a querystring variable to the request from the logout page that instructs the Login page not to perform an implicit login and instead prompt the user for credentials. How can I determine programmatically whether the request came via a redirect from the Logout page?

Edit 29/04/2009:

Following the conversation with jellomonkey, I should point out that the interaction between the SSO server and the local forms authentication of the consuming website isn't directly relevant to the problem at hand. Expressed succinctly, my problem is:

  1. User clicks HTML hyperlink from Home.aspx which takes them to Logout.aspx
  2. Page_Load event handler of Logout.aspx clears Forms Authentication ticket and Session data and redirects the user to Login.aspx
  3. Page_Load event of Login.aspx checks the UrlReferrer property of the Request object to determine whether the request came via the Logout page. However, in requests which have come via a redirect from Logout.aspx, the UrlReferrer property of the Request object is Home.aspx.

Why is this? Why is the UrlReferrer Home.aspx and not Logout.aspx?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

放低过去 2024-07-24 10:46:12

您所描述的场景应该可以正常工作,除非注销页面实际上没有删除表单身份验证 cookie。 有多种方法可以结束表单身份验证会话:

//I have seen instances where this does not work.
FormsAuthentication.SignOut()  


//I have not seen this code fail before.
Dim cookie As HttpCookie = FormsAuthentication.GetAuthCookie( _
    HttpContext.Current.User.Identity.Name, False)
cookie.Expires = Date.Now.AddDays(-1)


Response.Clear()
Response.AppendCookie(cookie)
Response.Redirect(FormsAuthentication.LoginUrl)

另外,如果您使用存储在 cookie 中的角色管理器,请记住调用 Roles.DeleteCookie()。

编辑:回应更新的问题。

Response.Redirect 方法不会返回带有新 URL 引用者标头的标头,因为规范规定只有客户端发起的请求才应包含引用者标头。 这是您可以看到的 Response.Redirect 代码,它不会更改引用标头:

Public Sub Redirect(ByVal url As String, ByVal endResponse As Boolean)
If (url Is Nothing) Then
    Throw New ArgumentNullException("url")
End If
If (url.IndexOf(ChrW(10)) >= 0) Then
    Throw New ArgumentException(SR.GetString("Cannot_redirect_to_newline"))
End If
If Me._headersWritten Then
    Throw New HttpException(SR.GetString("Cannot_redirect_after_headers_sent"))
End If
Dim handler As Page = TryCast(Me._context.Handler,Page)
If ((Not handler Is Nothing) AndAlso handler.IsCallback) Then
    Throw New ApplicationException(SR.GetString("Redirect_not_allowed_in_callback"))
End If
url = Me.ApplyRedirectQueryStringIfRequired(url)
url = Me.ApplyAppPathModifier(url)
url = Me.ConvertToFullyQualifiedRedirectUrlIfRequired(url)
url = Me.UrlEncodeRedirect(url)
Me.Clear
If (((Not handler Is Nothing) AndAlso handler.IsPostBack) AndAlso (handler.SmartNavigation AndAlso (Me.Request.Item("__smartNavPostBack") = "true"))) Then
    Me.Write("<BODY><ASP_SMARTNAV_RDIR url=""")
    Me.Write(HttpUtility.HtmlEncode(url))
    Me.Write("""></ASP_SMARTNAV_RDIR>")
    Me.Write("</BODY>")
Else
    Me.StatusCode = &H12E
    Me.RedirectLocation = url
    If ((url.StartsWith("http:", StringComparison.OrdinalIgnoreCase) OrElse url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)) OrElse ((url.StartsWith("ftp:", StringComparison.OrdinalIgnoreCase) OrElse url.StartsWith("file:", StringComparison.OrdinalIgnoreCase)) OrElse url.StartsWith("news:", StringComparison.OrdinalIgnoreCase))) Then
        url = HttpUtility.HtmlAttributeEncode(url)
    Else
        url = HttpUtility.HtmlAttributeEncode(HttpUtility.UrlEncode(url))
    End If
    Me.Write("<html><head><title>Object moved</title></head><body>" & ChrW(13) & ChrW(10))
    Me.Write(("<h2>Object moved to <a href=""" & url & """>here</a>.</h2>" & ChrW(13) & ChrW(10)))
    Me.Write("</body></html>" & ChrW(13) & ChrW(10))
End If
Me._isRequestBeingRedirected = True
If endResponse Then
    Me.End
End If
End Sub

您可以使用反射器来遵循其他方法,但我没有看到任何更改标头的方法。

The scenario you are describing should be working correctly unless the logout page is not actually deleting the forms authentication cookie. There are several ways to end the forms authentication session:

//I have seen instances where this does not work.
FormsAuthentication.SignOut()  


//I have not seen this code fail before.
Dim cookie As HttpCookie = FormsAuthentication.GetAuthCookie( _
    HttpContext.Current.User.Identity.Name, False)
cookie.Expires = Date.Now.AddDays(-1)


Response.Clear()
Response.AppendCookie(cookie)
Response.Redirect(FormsAuthentication.LoginUrl)

Also if you are using a role manager which stores in a cookie remember to call Roles.DeleteCookie().

Edit: In response to the updated question.

The Response.Redirect method does not return a header with a new URL referrer because the spec says that only client initiated requests should contain a referrer header. Here is the Response.Redirect code which you can see does not change the referrer header:

Public Sub Redirect(ByVal url As String, ByVal endResponse As Boolean)
If (url Is Nothing) Then
    Throw New ArgumentNullException("url")
End If
If (url.IndexOf(ChrW(10)) >= 0) Then
    Throw New ArgumentException(SR.GetString("Cannot_redirect_to_newline"))
End If
If Me._headersWritten Then
    Throw New HttpException(SR.GetString("Cannot_redirect_after_headers_sent"))
End If
Dim handler As Page = TryCast(Me._context.Handler,Page)
If ((Not handler Is Nothing) AndAlso handler.IsCallback) Then
    Throw New ApplicationException(SR.GetString("Redirect_not_allowed_in_callback"))
End If
url = Me.ApplyRedirectQueryStringIfRequired(url)
url = Me.ApplyAppPathModifier(url)
url = Me.ConvertToFullyQualifiedRedirectUrlIfRequired(url)
url = Me.UrlEncodeRedirect(url)
Me.Clear
If (((Not handler Is Nothing) AndAlso handler.IsPostBack) AndAlso (handler.SmartNavigation AndAlso (Me.Request.Item("__smartNavPostBack") = "true"))) Then
    Me.Write("<BODY><ASP_SMARTNAV_RDIR url=""")
    Me.Write(HttpUtility.HtmlEncode(url))
    Me.Write("""></ASP_SMARTNAV_RDIR>")
    Me.Write("</BODY>")
Else
    Me.StatusCode = &H12E
    Me.RedirectLocation = url
    If ((url.StartsWith("http:", StringComparison.OrdinalIgnoreCase) OrElse url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)) OrElse ((url.StartsWith("ftp:", StringComparison.OrdinalIgnoreCase) OrElse url.StartsWith("file:", StringComparison.OrdinalIgnoreCase)) OrElse url.StartsWith("news:", StringComparison.OrdinalIgnoreCase))) Then
        url = HttpUtility.HtmlAttributeEncode(url)
    Else
        url = HttpUtility.HtmlAttributeEncode(HttpUtility.UrlEncode(url))
    End If
    Me.Write("<html><head><title>Object moved</title></head><body>" & ChrW(13) & ChrW(10))
    Me.Write(("<h2>Object moved to <a href=""" & url & """>here</a>.</h2>" & ChrW(13) & ChrW(10)))
    Me.Write("</body></html>" & ChrW(13) & ChrW(10))
End If
Me._isRequestBeingRedirected = True
If endResponse Then
    Me.End
End If
End Sub

You can use reflector to follow the other methods but I don't see one which changes any header.

回复 原文
对你再特殊 2024-07-24 10:46:12

Response.Redirect("login.aspx?from=logout")

  • Steve Yates
  • ITS, Inc.
  • 为什么泰山没有胡子?

~ Taglinator 的标语:www.srtware.com ~

Response.Redirect("login.aspx?from=logout")

  • Steve Yates
  • ITS, Inc.
  • Why doesn't Tarzan have a beard?

~ Taglines by Taglinator: www.srtware.com ~

回复 原文
~没有更多了~

关于作者

勿忘初心

暂无简介

0 文章
0 评论
637 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

謌踐踏愛綪

文章 0 评论 0

开始看清了

文章 0 评论 0

高速公鹿

文章 0 评论 0

alipaysp_PLnULTzf66

文章 0 评论 0

热情消退

文章 0 评论 0

白色月光

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文