Support us .Net Basics C# SQL ASP.NET Aarvi MVC Slides C# Programs Subscribe Download

Redirect user to original url after login in asp.net core

Suggested Videos
Part 69 - Show or hide login and logout links based on login status in asp.net core | Text | Slides
Part 70 - Implementing login functionality in asp.net core | Text | Slides
Part 71 - Authorization in ASP.NET Core | Text | Slides

In this video we will discuss, how to redirect the user to the original requested URL after a successful login.

ReturnUrl in ASP.NET Core


What happens when we try to navigate to a URL, to which we do not have access, until we login

By default, ASP.NET Core redirects to the login URL with ReturnUrl query string parameter. The URL that we were trying to access will be the value of the ReturnUrl query string parameter.


ReturnUrl Query String Example

In this example, ReturnUrl is set to ReturnUrl=/home/create. I was trying to Create a New Employee by navigating to /home/create without first signing in. Since I do not have access to /home/create until I login, ASP.NET core redirected to the login URL which is /Account/Login with the query string parameter ReturnUrl 

http://localhost:4901/Account/Login?ReturnUrl=%2Fhome%2Fcreate

The characters %2F are the encoded characters for a forward slash (/). To decode these characters in the URL, you may use the following website.

https://meyerweb.com/eric/tools/dencoder/

Redirect to ReturnUrl after Login
  • ASP.NET Core model binding automatically maps the value 
    • from the URL query string parameter ReturnUrl 
    • to the Login() action method parameter returnUrl
  • ASP.NET Core Redirect(returnUrl) method, redirects the user to the specified returnUrl
[HttpPost]
[AllowAnonymous]
public async Task<IActionResult> Login(LoginViewModel model, string returnUrl)
{
    if (ModelState.IsValid)
    {
        var result = await signInManager.PasswordSignInAsync(model.Email,
            model.Password, model.RememberMe, false);

        if (result.Succeeded)
        {
            if (!string.IsNullOrEmpty(returnUrl))
            {
                return Redirect(returnUrl);
            }
            else
            {
                return RedirectToAction("index", "home");
            }
        }

        ModelState.AddModelError(string.Empty, "Invalid Login Attempt");
    }

    return View(model);
}

There is a serious flaw in the way we have used the ReturnUrl query string parameter. This opens a serious security hole with in our application which is commonly known as open redirect vulnerability. 

Next video : What is open redirect vulnerability and how to fix it in asp.net core

asp.net core tutorial for beginners

4 comments:

  1. on http post returnUrl parameter is null, also querystring is empty. What did I miss?

    ReplyDelete
  2. On your form in the login.cshtml, add this: asp-route-returnurl="@Context.Request.Query["ReturnUrl"]";

    This should work!

    ReplyDelete
  3. for some reason asp.net core 3.1 did not add the query to the url. Maybe it has something to do with [Rout] attribute. however I found this approach more robust.
    asp-route-returnurl=Request.Headers["Referer"].ToString();

    ReplyDelete

It would be great if you can help share these free resources