By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,846 Members | 1,211 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,846 IT Pros & Developers. It's quick & easy.

Url Rewriting with Forms Authentication

P: n/a
Lee
Hi all ;)
Preamble
--------
I'm using URL rewriting to enforce a frames policy (yeah, I know frames
are 'bad' :) - i.e. if a request comes in for a page which should be
nested within a frameset, the url is rewritten to something of the form
'http://www.blah.com/framesdoc.aspx?lowerFrame=/page.aspx', the
'framesdoc' page then dynamically generates the src attribute for the
frame appropriately to load the content specified in the 'lowerFrame'
query var.

As mentioned in Scott Mitchell's article (1), if using Forms
Authentication, the rewriting should take place in response to the
AuthorizeRequest event, to prevent the FormsAuthenticationModule using
the rewritten url as a return url from the login page.

At first read, the article seemed to imply that FormsAuthentication will
still function to restrict access to pages specified within the rewritten
url.

Of course, after a little more thought, it seems clear that there's no
way this could work, the FormsAuthenticationModule has already missed its
opportunity by the time the url is rewritten.

Question
--------
So, what I'm seeking is some work-around which will allow me to use url
rewriting on a site which makes selective use of FormsAuthentication
(e.g. a '/Secure' folder is restricted to authenticated users.)

I first thought of rewriting the url in response to BeginRequest rather
than AuthorizeRequest so that a redirect-to-login-page will occur if
needed and then somehow communicating the original, pre-rewritten url to
the login page, so that the url can once again be rewritten to overwrite
the 'ReturnUrl=...' portion. The question then becomes 'how do I
communicate the pre-rewritten url to the login page?' as there's no
session state at that point (is there?) and I understand it's
unacceptable to update objects in the Application cache from multiple
threads.

My next idea was that I might be able to use the location element within
web.config to specify that certain paths matching pre-rewritten URLs are
restricted, no luck there though.

Any ideas on how to solve this?

Any other comments would be appreciated as I've hit a point in the
application where I really need url rewriting *and* forms authentication
but am unable to progress.

Kind regards,
Lee.
--
References:

1) Scott Mitchell's article 'URL Rewriting in ASP.NET' :

http://msdn.microsoft.com/library/de...l=/library/en-
us/dnaspp/html/urlrewriting.asp

Nov 19 '05 #1
Share this question for a faster answer!
Share on Google+

This discussion thread is closed

Replies have been disabled for this discussion.