FormsAuthentication.RedirectFromLoginPage Method (String, Boolean) (System.Web.Security)

RedirectFromLoginPage Method (Strin...

Switch on low bandwidth view

Collapse All

Language Filter

This page is specific to

Microsoft Visual Studio 2005/.NET Framework 2.0

Other versions are also available for the following:

.NET Framework Class Library

FormsAuthentication.RedirectFromLoginPage Method (String, Boolean)

Redirects an authenticated user back to the originally requested URL or the default URL.

Namespace: System.Web.Security
Assembly: System.Web (in system.web.dll)

Syntax

Visual Basic (Declaration)

Public Shared Sub RedirectFromLoginPage ( _
    userName As String, _
    createPersistentCookie As Boolean _
)

Visual Basic (Usage)

Dim userName As String
Dim createPersistentCookie As Boolean

FormsAuthentication.RedirectFromLoginPage(userName, createPersistentCookie)

public static void RedirectFromLoginPage (
    string userName,
    bool createPersistentCookie
)

C++

public:
static void RedirectFromLoginPage (
    String^ userName, 
    bool createPersistentCookie
)

public static void RedirectFromLoginPage (
    String userName, 
    boolean createPersistentCookie
)

JScript

public static function RedirectFromLoginPage (
    userName : String, 
    createPersistentCookie : boolean
)

Parameters

userName: The authenticated user name.

createPersistentCookie: true to create a durable cookie (one that is saved across browser sessions); otherwise, false.

Exceptions

Exception type	Condition
HttpException	The return URL specified in the query string contains a protocol other than HTTP: or HTTPS:.

Remarks

The RedirectFromLoginPage method redirects to the URL specified in the query string using the ReturnURL variable name. For example, in the URL http://www.contoso.com/login.aspx?ReturnUrl=caller.aspx, the RedirectFromLoginPage method redirects tothe return URL caller.aspx. If the ReturnURL variable does not exist, the RedirectFromLoginPage method redirects to the URL in the DefaultUrl property.

ASP.NET automatically adds the return URL when the browser is redirected to the login page. By default, the ReturnUrl variable must refer to a page within the current application. If ReturnUrl refers to a page in a different application or on a different server, the RedirectFromLoginPage methods redirects to the URL in the DefaultUrl property. If you want to allow redirects to a page outside the current application, you must set the EnableCrossAppRedirects property to true using the enableCrossAppRedirects attribute of the forms configuration element. Security Note Setting the EnableCrossAppRedirects property to true to allow cross-application redirects is a potential security threat. When cross-application redirects are allowed, your site is vulnerable to malicious Web sites that use your login page to convince your Web site users that they are using a secure page on your site. To improve security when using cross-application redirects, you should override the RedirectFromLoginPage method to allow redirects only to approved Web sites. If the CookiesSupported property is true, and either the ReturnUrl variable is within the current application or the EnableCrossAppRedirects property is true, then the RedirectFromLoginPage method issues an authentication ticket and places it in the default cookie using the SetAuthCookie method. If CookiesSupported is false and the redirect path is to a URL in the current application, the ticket is issued as part of the redirect URL. If CookiesSupported is false, EnableCrossAppRedirects is true, and the redirect URL does not refer to a page within the current application, the RedirectFromLoginPage method issues an authentication ticket and places it in the QueryString property.

Security Note
Setting the EnableCrossAppRedirects property to true to allow cross-application redirects is a potential security threat. When cross-application redirects are allowed, your site is vulnerable to malicious Web sites that use your login page to convince your Web site users that they are using a secure page on your site. To improve security when using cross-application redirects, you should override the RedirectFromLoginPage method to allow redirects only to approved Web sites.

Example The following code example redirects validated users to either the originally requested URL or the DefaultUrl. The code example uses ASP.NET membership to validate users. For more information about ASP.NET membership, see Managing Users by Using Membership. Visual Basic <%@ Page Language="VB" %> <%@ Import Namespace="System.Web.Security" %> <script runat="server"> Public Sub Login_OnClick(sender As Object, args As EventArgs) If (Membership.ValidateUser(UsernameTextbox.Text, PasswordTextbox.Text)) Then FormsAuthentication.RedirectFromLoginPage(UsernameTextbox.Text, NotPublicCheckBox.Checked) Else Msg.Text = "Login failed. Please check your user name and password and try again." End If End Sub </script> <html> <head> <title>Login</title> </head> <body> <form runat="server"> <h3>Login</h3> <asp:Label id="Msg" ForeColor="maroon" runat="server" /><P> Username: <asp:Textbox id="UsernameTextbox" runat="server" /><BR> Password: <asp:Textbox id="PasswordTextbox" runat="server" TextMode="Password" /><BR> <asp:Button id="LoginButton" Text="Login" OnClick="Login_OnClick" runat="server" /> <asp:CheckBox id="NotPublicCheckBox" runat="server" /> Check here if this is <u>not</u> a public computer. </form> </body> </html> C# <%@ Page Language="C#" %> <%@ Import Namespace="System.Web.Security" %> <script runat="server"> public void Login_OnClick(object sender, EventArgs args) { if (Membership.ValidateUser(UsernameTextbox.Text, PasswordTextbox.Text)) FormsAuthentication.RedirectFromLoginPage(UsernameTextbox.Text, NotPublicCheckBox.Checked); else Msg.Text = "Login failed. Please check your user name and password and try again."; } </script> <html> <head> <title>Login</title> </head> <body> <form runat="server"> <h3>Login</h3> <asp:Label id="Msg" ForeColor="maroon" runat="server" /><P> Username: <asp:Textbox id="UsernameTextbox" runat="server" /><BR> Password: <asp:Textbox id="PasswordTextbox" runat="server" TextMode="Password" /><BR> <asp:Button id="LoginButton" Text="Login" OnClick="Login_OnClick" runat="server" /> <asp:CheckBox id="NotPublicCheckBox" runat="server" /> Check here if this is <u>not</u> a public computer. </form> </body> </html>

Platforms Windows 98, Windows 2000 SP4, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition The .NET Framework does not support all versions of every platform. For a list of the supported versions, see System Requirements.

Version Information .NET Framework Supported in: 2.0, 1.1, 1.0

See Also Reference FormsAuthentication Class FormsAuthentication Members System.Web.Security Namespace Other Resources ASP.NET Web Application Security ASP.NET Web Application Security

Tags : Add a tag Add Cancel Flag as ContentBug Community Content Add new content Annotations | Edit Tags : Add a tag Add Cancel Flag as ContentBug © 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement