2

I'm trying to secure my entire MVC site, so before the Home controller, I added an [Authorize] attribute.

Now if you run it from Visual Studio or navigate using the root URL (e.g. http://localhost:2897) it does redirect to the login page, as expected. However the URL in the address bar after redirection looks like this: http://localhost:2897/Account/LogOn?ReturnUrl=%2fdefault.aspx%3f

I haven't tested this out, seeing as I have not implemented my authentication code. However, this looks like a big problem to me, since I do not have a default.aspx in my project!

My authentication tag in the web.config looks like this:

<authentication mode="Forms">
   <forms loginUrl="~/Account/LogOn" defaultUrl="~/Home/Index" timeout="2880"/>
</authentication>

Why doesn't it pick up this route as the default ReturnUrl instead of default.aspx?

Improve this question

1 Answer 1

Reset to default
2

ASP.NET (to be precise, FormsAuthentication.RedirectFromLoginPage) always ignores the defaultUrl setting in web.config when a ReturnUrl parameter is present. It's only honored when you go directly to the login page without passing any ReturnUrl parameters.

ASP.NET MVC project template provides a blank Default.aspx template to handle requests like that in IIS Classic pipeline mode. You should be fine with that.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Hmmm .. guess I'm not asking my question correctly. I guess my real question is, how can I get it to set the ReturnUrl to be Home/Index instead of default.aspx? That is, when the person is navigating to the root URL, not a specific route. (If the person is navigating to a specific route, the ReturnUrl is correct.)
@Cynthia: I see your point. The problem is, in fact, the Web server tries to serve the default document when you request "/". The default template shipped with ASP.NET MVC transparently rewrites requests to "default.aspx" to "/" route on the server and tries to execute the action but since it requires authentication, it'll redirect the user to the login page using the current URL as the return URL (which is still default.aspx). Effectively, you get what you want (except getting default.aspx displayed in the address bar). You'll have less issues in integrated mode.
OK, I tried it out and Default.aspx does go to the default controller/action. So .. nevermind! I thought it would bomb, but apparently not. Thanks!
If you're obsessed with that (not having default.aspx show up in the address bar), you should map the "/" route explicitly to a separate action method that redirects people to "Home/Index" without requiring authorization (with return Redirect(...) and adding a MapRoute call before the default one to handle the "/" request) and protect "Home/Index" with [Authorize].

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.