Registration Redirect

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
4/16/2010 8:55:25 PM
Gravatar
Total Posts 131

Registration Redirect

Joe, not sure if this is a bug or intended change. The old system used to allow relative redirect url's. This change requires it.

In register.aspx

if (Request.Params.Get("returnurl") != null) {
                string returnUrlParam = Page.Request.Params.Get("returnurl"); if (!String.IsNullOrEmpty(returnUrlParam))
                { returnUrlParam = SecurityHelper.RemoveMarkup(returnUrlParam);
                    string redirectUrl = Page.ResolveUrl(SecurityHelper.RemoveMarkup(Page.Server.UrlDecode(returnUrlParam))); if ((redirectUrl.StartsWith(SiteRoot)) || (redirectUrl.StartsWith(SiteRoot.Replace("https://", "http://"))) || (redirectUrl != null))
                    { this.RegisterUser.ContinueDestinationPageUrl = redirectUrl;
                    }

                }


            }

 

I added the bold area to allow relative url's again.

Just let me know if fully qualified is required for a reason so I don't run into other issues.

Thanks

4/17/2010 8:27:33 AM
Gravatar
Total Posts 18439

Re: Registration Redirect

Hi David,

I don't recall recent changes to that part of the code, but I agree relative urls should be supported, so I consider this a bug.

Rather than the change you proposed, I changed my copy like this:

string redirectUrl = Page.ResolveUrl(SecurityHelper.RemoveMarkup(Page.Server.UrlDecode(returnUrlParam)));
if (redirectUrl.StartsWith("/")) { redirectUrl = SiteRoot + redirectUrl; }

This should also make it possible to support relative urls that are relative to folder based child sites.

So the rule will be that a relative url must start with /

The reason we can't just allow any string is for security purposes.

For example suppose a hacker wanted to lure you to a malware sites to try and infect your machine. They could make a tweet like register at mojoportal.com now to get a free ipad and then some shrunk/obfuscated url that points to http://www.mojoportal.com/Secure/Register.aspx?returnUrl=http://malware.com

The user would land at the mojoPortal register page and might not notice the return url param, and after registering would be redirected to the external site. Or the return url might look less suspicious/more tempting if it were returnUrl=http://ipadoffer.somedomain.com

So we need to make sure the redirect url is either relative or starts with the site root.

Best,

Joe

4/17/2010 7:40:37 PM
Gravatar
Total Posts 131

Re: Registration Redirect

Joe, as usual, your way is much better. Thanks for the help.

6/11/2010 12:54:54 AM
Gravatar
Total Posts 11

Re: Registration Redirect

Hi.

I have a problem with querystring variables of the original request not being passed to the login page.

My situation is as follow:

The user needs to register on the site and can then place an order. Then there's a couple of stages an order goes through and eventually we send the user an email that contains a link to complete the order. This link has querystring variables. Then... when the link is clicked, the user is asked to log in, but after login has occured, the user is redirected to the destination url without the original querystring variables.

Is there a way I can fix this?

6/15/2010 7:46:27 AM
Gravatar
Total Posts 11

Re: Registration Redirect

Hi Joe.

 

I fixed my issue by changing the RedirectIfNeeded method in Default.aspx.cs. Here's the changed method:

        private bool RedirectIfNeeded()
        {
            if (
                (!isAdmin)
                && (!isSiteEditor)
                && (!WebUser.IsInRoles(CurrentPage.AuthorizedRoles))
                )
            {
                if (!Request.IsAuthenticated)
                {
                    SiteUtils.RedirectToLoginPage(this, SiteUtils.GetCurrentPageUrl() + (Request.RawUrl.Contains("?") ? Request.RawUrl.Substring(Request.RawUrl.IndexOf('?')) : "")) ;
                    return true;

                }
                else
                {
                    SiteUtils.RedirectToAccessDeniedPage(this);
                    return true;
                }
            }

            return false;

        }

 

 

Will this do the trick?

6/16/2010 8:06:13 AM
Gravatar
Total Posts 18439

Re: Registration Redirect

Hi Jacques,

Really this should not be needed there because Default.aspx.cs is only for CMS pages in the menu and there really should not be extra query string params expected there. We have friendly urls like home.aspx that map to real urls like /Default.aspx?pageid=x, we should not then use home.aspx?someparam=foo

Custom modules should not be passing extra query string params to cms page urls, they can pass extra params to supporting pages of the feature like you see in the forums pages for example but a cms page may have any number of modules on it so any specific module should not pass params in the query string. What if 2 modules do that and use the same param names?

You should link to custom supporting page(s) instead of adding query string params to cms page urls, then in your custom page you can redirect with

if (!Request.IsAuthenticated)
 {
            SiteUtils.RedirectToLoginPage(this);
           return;
 }

and this will have the query string params.

I will accommodate you with this change so you can make it work with a config setting that changes the current behavior, but I do not want to encourage the use of query string params in cms page urls so the default will be false.

private bool RedirectIfNeeded()
        {
            if (
                (!isAdmin)
                && (!isSiteEditor)
                && (!WebUser.IsInRoles(CurrentPage.AuthorizedRoles))
                )
            {
                if (!Request.IsAuthenticated)
                {
                    if (WebConfigSettings.UseRawUrlForCmsPageLoginRedirects)
                    {
                        SiteUtils.RedirectToLoginPage(this);
                    }
                    else
                    {
                        SiteUtils.RedirectToLoginPage(this, SiteUtils.GetCurrentPageUrl());
                    }
                    return true;

                }
                else
                {
                    SiteUtils.RedirectToAccessDeniedPage(this);
                    return true;
                }
            }

            return false;

        }

Best,

Joe

ps this should have been a new thread instead of a reply on this thread, your question is about login redirect not registration redirect that the thread originally was about.

6/17/2010 1:40:06 AM
Gravatar
Total Posts 11

Re: Registration Redirect

Thank you Joe.

I'll remember next time to post to a new thread.

Jacques

8/13/2010 1:05:44 AM
Gravatar
Total Posts 11

Re: Registration Redirect

Hi Joe.

Has this been included in a recent release?

8/13/2010 5:47:01 AM
Gravatar
Total Posts 18439

Re: Registration Redirect

yes, you would need to add this to your user.config then touch web.config to make it reload settings

<add key="UseRawUrlForCmsPageLoginRedirects" value="true" />

12/24/2012 2:26:03 AM
Gravatar
Total Posts 163

Re: Registration Redirect

but...   where is the code bheind for the register.aspx ?  me also have this problem..

 

see my post in developer forum

12/26/2012 6:03:02 AM
Gravatar
Total Posts 18439

Re: Registration Redirect

The code behind is compiled into mojoPortal.Web.dll, the deployment packages don't contain any c# source code.

See understanding the difference between source code a deployment files

You must sign in to post in the forums. This thread is closed to new posts.