Export (0) Print
Expand All

FormsAuthentication.EnableCrossAppRedirects Property

Updated: January 2010

Gets a value indicating whether authenticated users can be redirected to URLs in other Web applications.

Namespace:  System.Web.Security
Assembly:  System.Web (in System.Web.dll)

public static bool EnableCrossAppRedirects { get; }

Property Value

Type: System.Boolean
true if authenticated users can be redirected to URLs in other Web applications; otherwise, false. The default is false.

The EnableCrossAppRedirects property value is set using the enableCrossAppRedirects attribute of the forms configuration element.

The EnableCrossAppRedirects property is checked within the RedirectFromLoginPage method when the redirect URL does not point to a page in the current application. If EnableCrossAppRedirects is true, then the redirect is performed; if EnableCrossAppRedirects is false, the browser is redirected to the page defined in the DefaultUrl property.

NoteNote:

When you redirect pages across applications, you must make sure that specific attributes in the forms configuration element are duplicated across the authenticated applications. For more information and an example, see Forms Authentication Across Applications.

Security noteSecurity Note:

When cross-application redirects are allowed, your site is vulnerable to an exploit that directs users to a malicious Web site but uses the login page for your site. Always verify that the redirect URL that is returned by the GetRedirectUrl method is a URL that you expect so that you can make sure that you allow redirects only to approved Web sites. You must also verify that the redirect URL uses the appropriate protocol (HTTP or HTTPS). To perform these verifications, you can add a postback event handler to your login page, or you can add a handler for the LoggedIn event of the Login control.

The following code example sets the enableCrossAppRedirects attribute to true in the Web.config file for an ASP.NET application.

<authentication mode="Forms">
  <forms loginUrl="member_login.aspx"
    cookieless="UseUri"
    requireSSL="true" 
    enableCrossAppRedirects="true" />
</authentication>

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

.NET Framework

Supported in: 3.5, 3.0, 2.0

Date

History

Reason

January 2010

Updated security note.

Customer feedback.

Community Additions

ADD
Show:
© 2014 Microsoft