How to redirect a user back to where he was after login in asp.net mvc 3

I'm learning ASP.NET MVC3 and I'm now examining the user handling. My first problem would be (I know there is a lot about this subject in other threads, I just fail to find a good one with MVC3) that I want the login page to redirect me where I came from, or where I was redirected from. In php perhaps I would add this url to the querystring, maybe. But I need a way to do this somehow automatica开发者_C百科lly, and this is a so common design pattern I was wondering if there is a "built in" way to do this.

What would be the cleanest, or preferred way to do this?

Also when I'm redirecting to a login page which would be the best way for checking and storing the url which I'm redirected from? I would check for the referrer in the request object and spit it out in the url as "?redirect=protected.html" but I'm not even sure how to properly do this.

Any advice on this subject would be appreciated.

MVC works the same way as ASP.NET.

If you use Forms Authentication a lot of those questions will be answered for you.

In your Web Config find the line that says authentication="Windows" and then change that to Forms

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" />
</authentication>

MVC 3 will actually give you the Account/LogOn route as part of the MVC 3 template project (check your models and see if you have one called AccountModel).

Then you just add Authorization to deny all users to your site:

<authorization>
  <deny users="?"/>
</authorization>

by default this will send any person coming to your site off to your login.

So after you have validated that there login credentials are correct you set the AuthCookie the same as ASP.NET:

FormsAuthentication.SetAuthCookie(userName, false);

Form this you can the redirect to where ever you want.

to redirect back to where you came from use:

FormsAuthentication.RedirectFromLoginPage(userName, false);

Not forgetting the other useful statement of:

FormsAuthentication.SignOut();

Without Authentication the site wont let you access anywhere until you are logged in, so the CSS will stop working.

The locations I have added to make sure this doesnt happen are as follows:

<location path="Content">
 <system.web>
  <authorization>
    <allow users="?"/>
  </authorization>
 </system.web>
</location>
<location path="Scripts">
 <system.web>
  <authorization>
    <allow users="?"/>
  </authorization>
 </system.web>
</location>

In asp.net it is a ?returnUrl=...

(1) Make sure you have something like

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>

in your root web.config.

(2) In your Controller you want to protect, add [Authorize] attribute above it.

Please create new project and select the Internet Application template rather than Empty one and you will get sample of the simple login process as well as changing password.

Note: Please read this as well: http://www.asp.net/mvc/tutorials/preventing-open-redirection-attacks

The sample shows after logging in process, it make sure the returnUrl is a local url by the Url.IsLocalUrl() helper to protect from Open Redirection Attack.

Update: The best way is to implement your own custom login process after you really know the standard process for example instead of using the URL to track where the user come from, you can set a new cookie to store the returnUrl with httponly cookie and delete it just before redirect to previous page.

Another common practice is to use roles. You may specific a directory/controller for specific group of user called Role by adding the permitted role like this as an attribute above the controller:

[Authorize(Roles = "Admin")]

See this visual studio administration tool to create sample users and roles with built-in web interface.

You may also want to use sitemap to arrange your pages and menu link with show/hide menu based on current user role. Use this mvcsitemap to add security trimming features in ASP.NET MVC sitemap.

In some cases there happens to be a custom authentication instead of standard forms based (common case for enterprise level applications).

In this case I would recommend manually managing returnUrl parameter in the querystring. Login page reads this URL and redirects back after successful authentication.