1 out of 4 rated this helpful - Rate this topic

FormsAuthentication.GetRedirectUrl Method

.NET Framework 4

Other Versions

Returns the redirect URL for the original request that caused the redirect to the login page.

Namespace: System.Web.Security
Assembly: System.Web (in System.Web.dll)

Syntax

C++

Copy

public static string GetRedirectUrl(
	string userName,
	bool createPersistentCookie
)

Parameters

userName: Type: System.String
The name of the authenticated user.

createPersistentCookie: Type: System.Boolean
This parameter is ignored.

Return Value

Type: System.String
A string that contains the redirect URL.

Remarks

You can use this method when you want to perform the redirect in your application code instead of using the RedirectFromLoginPage method.

The GetRedirectUrl method returns the URL specified in the query string using the ReturnURL variable name. For example, in the URL http://www.contoso.com/login.aspx?ReturnUrl=caller.aspx, the GetRedirectUrl method returns the return URL caller.aspx. If the ReturnURL variable does not exist, the GetRedirectUrl method returns the URL in the DefaultUrl property.

ASP.NET automatically adds the return URL when the browser is redirected to the login page.

By default, the ReturnUrl variable must refer to a page within the current application. If ReturnUrl refers to a page in a different application or on a different server, the GetRedirectUrl methods returns the URL in the DefaultUrl property. If you want to allow the return URL to refer to a page outside the current application, you must set the EnableCrossAppRedirects property to true using the enableCrossAppRedirects attribute of the forms configuration element.

Security Note
Setting the EnableCrossAppRedirects property to true to allow cross-application redirects is a potential security threat. For more information, see the EnableCrossAppRedirects property.

Examples

The following code example redirects authenticated users to the URL returned from the GetRedirectUrl method.

Security Note
This example contains a text box that accepts user input, which is a potential security threat. By default, ASP.NET Web pages validate that user input does not include script or HTML elements. For more information, see Script Exploits Overview.

Copy


<%@ Page Language="C#" %>
<%@ Import Namespace="System.Web.Security" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">

  private void Login_Click(Object sender, EventArgs e)
  {
    // Create a custom FormsAuthenticationTicket containing
    // application specific data for the user.

    string username     = UserNameTextBox.Text;
    string password     = UserPassTextBox.Text;
    bool   isPersistent = false;

    if (Membership.ValidateUser(username, password))
    {
      string userData = "ApplicationSpecific data for this user.";

      FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
        username,
        DateTime.Now,
        DateTime.Now.AddMinutes(30),
        isPersistent,
        userData,
        FormsAuthentication.FormsCookiePath);

      // Encrypt the ticket.
      string encTicket = FormsAuthentication.Encrypt(ticket);

      // Create the cookie.
      Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));

      // Redirect back to original URL.
      Response.Redirect(FormsAuthentication.GetRedirectUrl(username, isPersistent));
    }
    else
    {
      Msg.Text = "Login failed. Please check your user name and password and try again.";
    }
  }

</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
    <title>Forms Authentication Login</title>
</head>
<body>
    <form id="form1" runat="server">
        <span style="BACKGROUND: #80ff80; font-weight:bold"> 
            Login Page
        </span> 
        <asp:Label id="Msg" ForeColor="maroon" runat="server" /><br />
        <table border="0">
            <tbody>
                <tr>
                    <td>Username:</td>
                    <td><asp:TextBox id="UserNameTextBox" runat="server" /></td>
                    <td>
                      <asp:RequiredFieldValidator id="RequiredFieldValidator1" 
                                                  runat="server" ErrorMessage="*" 
                                                  Display="Static" 
                                                  ControlToValidate="UserNameTextBox" />
                    </td>
                </tr>
                <tr>
                    <td>Password:</td>
                    <td><asp:TextBox id="UserPassTextBox" TextMode="Password" runat="server" /></td>
                    <td>
                      <asp:RequiredFieldValidator id="RequiredFieldValidator2" 
                                                  runat="server" ErrorMessage="*" 
                                                  Display="Static" 
                                                  ControlToValidate="UserPassTextBox" />
                    </td>
                </tr>
            </tbody>
        </table>
        <input type="submit" value="Login" runat="server" onserverclick="Login_Click" />
    </form>
</body>
</html>

Version Information

.NET Framework

Supported in: 4, 3.5, 3.0, 2.0, 1.1, 1.0

Platforms

Windows 7, Windows Vista SP1 or later, Windows XP SP3, Windows XP SP2 x64 Edition, Windows Server 2008 (Server Core not supported), Windows Server 2008 R2 (Server Core supported with SP1 or later), Windows Server 2003 SP2

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Reference

FormsAuthentication Class

System.Web.Security Namespace

Other Resources

ASP.NET Web Application Security

Change History

Date	History	Reason
	Updated security note.	Customer feedback.

Date

History

Reason

Updated security note.

Customer feedback.

Did you find this helpful? Yes No

Not accurate

Not enough depth

Need more code examples

(1500 characters remaining)

Community Content Add

FAQ

The 2nd parameter can trick you

If the method needs to know whether the authentication cookie is persistent, you will suspect it creates an authentication cookie. But from the above example, you know that is not the case. So go ahead and use it instead of Response.Redirect(Request.QueryString["ReturnUrl"]);

History

5/21/2012
aperture7

Useless Method Parameters

The input parameters for this method are useless. Why not just create an overloaded method that doesn't require any parameters at all. The username parameter is only verified to see if it is null or not and then is no longer used. The createPersistantCookie parameter is ignored completely so why even have a method that requires 2 parameters when they aren't needed.

History

7/13/2011
hype8912