Infinite redirect loop in Windows Authentication if user deleted

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
8/7/2015 1:11:06 PM
Todd Hansen
Gravatar
Total Posts 5
View Posts

Infinite redirect loop in Windows Authentication if user deleted

When using Windows Authentication, if a user is successfully authenticated once (and hence their username is stored in the mp_Users table), and then their username is deleted from mp_Users, then next time they navigate to the site they will be caught in an infinite loop. The reason is because in the OnLoad function of mojoBasePage, if the user has the authentication cookie but the user comes back null (line 904), they are redirected to Logoff.aspx. Within Logff.aspx.cs, the cookie never gets deleted but the user gets redirected to Default.aspx, which starts the process over again. This leads to an infinite redirect loop. I believe this should be fixed by adding the following line into the DoLogout function in Logoff.aspx.cs:

CookieHelper.ExpireCookie("siteguid" + siteSettings.SiteGuid);

This line could be added at any point after line 39. It seems like this probably should have been in there anyway, because other cookies are getting set to expire within this function, but for some reason the main authentication cookie is not getting set to expired.

I tested that this change does fix my issue, although I can't say for absolutely sure that it would have no other negative effects.

8/7/2015 1:53:24 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Infinite redirect loop in Windows Authentication if user deleted

I have added this change and pushed it to our source code repository.

Thanks,

Joe

8/7/2015 3:02:50 PM
Todd Hansen
Gravatar
Total Posts 5
View Posts

Re: Infinite redirect loop in Windows Authentication if user deleted

Thanks, Joe. But I should have been more clear. That line should have been added anywhere within the DoLogout method except inside the if block. I think that this cookie should get expired on logout no matter what - not just in the case where (useFolderForSiteDetection)&&(!WebConfigSettings.UseRelatedSiteMode). Could we move it to outside that if block?

8/7/2015 3:18:10 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Infinite redirect loop in Windows Authentication if user deleted

I'm pretty sure the only context where that cookie is used at all is when using foldersites and when not using related sites mode, so I would not expect that we need to put that code elsewhere.

authentication cookies are scoped to the host name, so there is no cookie collision if using mutli sites based on host name.

when using folder sites the same authentication cookie is shared across sites because the asp.net framework does not make it possible to dynamically choose the cookie name at login time. when using related sites mode then all folder sites share the same users and roles so we also don't need an extra cookie there, if a user logs into one site he is logged into the others.

but when using folder sites and not using related sites mode we use this extra cookie to determine if the user is really logged in to the current folder site and we have a custom Principal where we check for this cookie in that case.

I don't think that cookie gets set at all in other scenarios so it is hard for me to imagine we need to clear that cookie in any other scenario than in folder sites not using related sites mode.

Actually the code above it is supposed to "expire" the same cookie but was probably written before we had that cookie helper method.

I'm not opposed to moving it but it seems like it is in the correct place.

8/7/2015 3:34:32 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Infinite redirect loop in Windows Authentication if user deleted

can you try commenting out line 904 in mojoBasePage and add this there instead:

FormsAuthentication.SignOut();

and see if that solve the problem?

8/7/2015 3:39:47 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Infinite redirect loop in Windows Authentication if user deleted

actually disregard that, since this is windows authentication there is no forms authentication cookie so FormsAuthentication.SignOut(); isn't going to solve anything 

I will copy the expire cookie logic outside that if in logoff.aspx and push it to the repo

8/7/2015 3:49:05 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Infinite redirect loop in Windows Authentication if user deleted

"but for some reason the main authentication cookie is not getting set to expired."

the thing with windows auth is there is no authentication cookie at all and no use of a login page either, the user is already logged into windows and is immediately seen as logged into the site and if the user is null in the db it should get automatically added.

I've moved the cookie logic since you say that fixes it, but I don't quite understand it. Maybe that null check for the user is happening before the user is automatically created.

In the case of windows auth I suspect an easier solution would have been to set WebConfigSettings.EnforcRequirePasswordChanges as false since in windows auth we can't force the user to change their windows password. That being false would have eliminated the redirect in mojoBasePage.

8/7/2015 3:50:30 PM
Todd Hansen
Gravatar
Total Posts 5
View Posts

Re: Infinite redirect loop in Windows Authentication if user deleted

Ok - thanks. Yeah, that cookie is initially getting set on line 106 of AuthHandlerHttpModule, because my AuthenticationType is "Negotiate" - inside this if:

if ((app.User.Identity.AuthenticationType == "NTLM") || (app.User.Identity.AuthenticationType == "Negotiate"))

So we could probably put it inside an equivalent if inside of DoLogout if we wanted to.

You must sign in to post in the forums. This thread is closed to new posts.