5

In ASP.Net, is anyone aware of a way to bypass Forms Authentication if a specific query string parameter is passed in?

Such as:

mydomain.com/myprotectedpage.aspx

...I would like to be protected by Forms Authentication (and so, redirected to login page)

mydomain.com/myprotectedpage.aspx?myBypassParameter=me

...I would like the page to render as normal

Is this at all possible?

Improve this question
1

3 Answers 3

Reset to default
2

Not really any "official" way of doing it.

You could do what I do, is have a base page instead of system.web.ui.page like so:

Public MustInherit Class ProtectedPage
Inherits System.Web.UI.Page

Private Sub Page_InitComplete(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.InitComplete
    If User.Identity.IsAuthenticated = False Then
        If String.IsNullOrEmpty(Request.QueryString("myBypassParameter")) Then
            FormsAuthentication.RedirectToLoginPage()
        End If
    End If
End Sub

End Class

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, I'd hoped for some magic solution, but this is probably going to be the best option.
0

In your code behind, you could simply use Request.QueryString["myBypassParameter"] and check its value. If it's an invalid value, then use FormsAuthentication.RedirectToLoginPage or a custom redirect to put the user back at the log in page. However, this doesn't seem like a secure method of protecting a page. What if someone got hold of the specific parameter and managed to gain access to your protected page? Also, you want to make sure that the QueryString value is valid (maybe by a regular expression) to ensure the user hasn't passed malicious code which will then be read by your application.

Improve this answer

2 Comments

Is that the reason for the downvote? For explaining how it's done, but recommended against?
Can't really fault the response though. The insecurity lies with the request, not the solution.
0

You might be able to jam some quick code into the Application_AuthenticateRequest event. You could then test for the parameter and adjust the User.Identity as necessary to allow the page. You'd have to put in a page check as well to make sure it didn't allow this behavior on all restricted pages.

I wouldn't recommend this design as an approach though. If you need to have a protected area accessed in an anonymous fashion, it'd be better to put all of your functionality into a UserControl and then use a protected/unprotected version of a parent page. This would allow you to control what goes out and when.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.