表单身份验证-重定向回原始域 [英] Forms Authentication - Redirect Back to Original Domain

问题描述

示例:

Application = https://test2.mytest.com/MyApplication/Download.aspx

Application = https://test2.mytest.com/MyApplication/Download.aspx

该应用程序在web.config中启用了表单身份验证:

The application has forms authentication enabled in the web.config:

<authentication mode="Forms">
  <forms loginUrl="https://test.mytest.com/Login/" name=".ASPXAUTH"/>
</authentication>
<authorization>
  <deny users="?"/>
</authorization>

访问应用程序时，它可以正确重定向到登录页面:
https://test.mytest.com/Login/?ReturnUrl=%2fMyApplication ％2fDownload.aspx

When accessing the application it correctly redirect to the login page:
https://test.mytest.com/Login/?ReturnUrl=%2fMyApplication%2fDownload.aspx

但是，成功登录后，它会转到:
https://test.mytest.com/MyApplication/Download.aspx
代替
https://test2.mytest.com/MyApplication/Download.aspx

However, after successfully logging in it goes to:
https://test.mytest.com/MyApplication/Download.aspx
instead of
https://test2.mytest.com/MyApplication/Download.aspx

它使用的是登录应用程序所在的子域(test.mytest.com)，而不是原始请求的子域(test2.mytest.com). 无论如何，是否有表单身份验证重定向回原始请求的子域，而不是登录应用程序所在的子域?

It is using the sub-domain of where the login application is (test.mytest.com), not the sub-domain of the original request (test2.mytest.com). Is there anyway to have forms authentication redirect back to the original requesting sub-domain instead of the sub-domain that the login app is on?

在此方面的任何帮助将不胜感激.

Any help on this would be greatly appreciated.

推荐答案

是的，当然可以，但是您需要同时对身份验证子域和需要身份验证的子域进行更改.

Yes it is certainly possible, but you'll need to make changes on both the authenticating sub domain and the sub domain requiring authentication.

需要认证的子域.
您遇到的问题是，当匿名用户尝试访问安全资源时，ASP.NET表单身份验证会将其重定向到登录页面，并将原始请求的资源附加到"ReturnURL"查询字符串中，但是此ReturnURL参数是相对网址.

The sub domain requiring authentication.
The issue you're having is that when an anonymous user attempts to access a secured resource ASP.NET forms authentication redirects them to the login page and appends the original requested resource in the "ReturnURL" query string but this ReturnURL parameter is a relative URL.

因此，要使其按照您希望的方式工作，您将需要操纵ReturnURL参数，以某种方式表明返回内容是在另一个网站上.

So to get this to work in the way you want, you'll need to manipulate the ReturnURL parameter to indicate in some way that the return is to a different site.

执行此操作的一种方法是使用HttpHandler操纵ReturnURL来挂接到PostAuthenticateRequest，如本文

One way to do this is to manipulate the ReturnURL using an HttpHandler to hook into the PostAuthenticateRequest, as detailed in this article, Forms Authentication With Absolute Return URLs.

正在验证的子域
要启用到呼叫子域的重定向，您需要设置 enableCrossAppRedirects 属性设置为"true"，以允许重定向到另一个Web应用程序中的URL.请注意这一点的含义，因为它使您可以打开开放重定向攻击.

The authenticating sub domain
To enable redirection to the calling subdomain you'll need to set the enableCrossAppRedirects attribute to "true" in the forms section of the web.config to allow redirection to a URL in another web application. Be aware of the implications of this though as it leaves you open to open redirection attacks.

仅在ReturnURL上直接设置子域地址的另一种更安全的方法(帮助防止打开重定向攻击)是修改ReturnURL以在查询字符串中包含已知参数，然后在global.asax中修改Application_EndRequest 此处和

An alternative and more secure approach to just setting the sub domain address directly on the ReturnURL (helping prevent open redirection attacks) is to modify the ReturnURL to contain a known parameter in the querystring and then modify the Application_EndRequest in the global.asax.cs of the authenticating subdomian as mentioned here and here to rewrite the Response.RedirectLocation.

这篇关于表单身份验证-重定向回原始域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！