3

I'm developing an application using MVC 5. I have written code for login functionality. When I tried to launch application, Login page is getting added with a query string parameter ReturnUrl. Here is my code:

            public ActionResult Login()
            {
                var authentication = Authentication;
                if (Request.HttpMethod == "POST")
                {
                    //code for user validation
                }

                return View();
            }

I'm unable to find the code that is adding ReturnUrl parameter to url. Can anyone help me, where I can find code that adds ReturUrl parameter?

Irshad Shaik
  • 87
  • 1
  • 2
  • 11
  • Check the AccountController.cs in Controllers folder of you project – Shiham Oct 31 '16 at 15:12
  • Code snippet displayed above is copied from AccountController.cs. But I'm unable to find any code related to ReturnUrl there. – Irshad Shaik Oct 31 '16 at 15:17
  • Getting detailed to issue: I have created a page for ForgetPassword and I have added link for login page there. When I redirect back to login page, no ReturnUrl parameter is added to url. @Html.ActionLink("Go to Login page", "Login", "Account"), I have used this code for creating a link to login page in ForgetPassword page. – Irshad Shaik Oct 31 '16 at 15:54

2 Answers2

2

By default, AuthorizeAttribute class is part of System.Web.Mvc namespace (see Github repository: aspnetwebstack). The method leads to login redirection there is HandleUnauthorizedRequest:

protected virtual void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
    // Returns HTTP 401 - see comment in HttpUnauthorizedResult.cs.
    filterContext.Result = new HttpUnauthorizedResult();
}

HTTP 401 status code response from method above will trigger FormsAuthenticationModule (see reference below), where OnLeave method redirects to login URL with FormsAuthentication.ReturnUrlVar property included:

strRedirect = loginUrl + "?" + FormsAuthentication.ReturnUrlVar + "=" + HttpUtility.UrlEncode(strUrl, context.Request.ContentEncoding);

// Do the redirect
context.Response.Redirect(strRedirect, false);

To override this behavior (including remove ReturnUrl part), create an authorization class extends from AuthorizeAttribute class, e.g. (this is an example implementation):

using System.Web.Mvc;
using System.Web.Routing;

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
    // @Override
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (!filterContext.HttpContext.Request.IsAuthenticated)
        {
            filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(
            new { controller = "Account", 
                  action = "Login"
                }));
        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

Then, you may implement custom authorization attribute like this one:

[CustomAuthorizeAttribute]
public ActionResult UserPage()
{
    return View();
}

NB: Use AuthorizeAttribute on all pages that requires user login authentication, for login page use AllowAnonymousAttribute instead.

Related references:

System.Web.Security.FormsAuthenticationModule (MS Github reference)

What initially sets the ReturnUrl parameter when using AuthorizeAttribute

Generate a return Url with a custom AuthorizeAttribute

How to remove returnurl from url?

Community
  • 1
  • 1
Tetsuya Yamamoto
  • 24,297
  • 8
  • 39
  • 61
1

It's a default behavior of asp.net authentication. The "returnUrl" is added when you try to access a private url. If you want to remove that you will need a custom implementation of authorize class.

Fabio Silva Lima
  • 704
  • 6
  • 14