Bypassing forms authentication when a query string is passed
In ASP.Net, is anyone aware of a way to bypass Forms Authentication if a specific query string parameter is passed in?
Such as:
mydomain.com/myprotectedpage.aspx
...I would like to be protected by Forms Authentication (and so, redirected to login page)
mydomain.com/mypr开发者_如何学Gootectedpage.aspx?myBypassParameter=me
...I would like the page to render as normal
Is this at all possible?
Not really any "official" way of doing it.
You could do what I do, is have a base page instead of system.web.ui.page like so:
Public MustInherit Class ProtectedPage
Inherits System.Web.UI.Page
Private Sub Page_InitComplete(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.InitComplete
If User.Identity.IsAuthenticated = False Then
If String.IsNullOrEmpty(Request.QueryString("myBypassParameter")) Then
FormsAuthentication.RedirectToLoginPage()
End If
End If
End Sub
End Class
In your code behind, you could simply use Request.QueryString["myBypassParameter"]
and check its value. If it's an invalid value, then use FormsAuthentication.RedirectToLoginPage
or a custom redirect to put the user back at the log in page. However, this doesn't seem like a secure method of protecting a page. What if someone got hold of the specific parameter and managed to gain access to your protected page? Also, you want to make sure that the QueryString value is valid (maybe by a regular expression) to ensure the user hasn't passed malicious code which will then be read by your application.
You might be able to jam some quick code into the Application_AuthenticateRequest event. You could then test for the parameter and adjust the User.Identity as necessary to allow the page. You'd have to put in a page check as well to make sure it didn't allow this behavior on all restricted pages.
I wouldn't recommend this design as an approach though. If you need to have a protected area accessed in an anonymous fashion, it'd be better to put all of your functionality into a UserControl and then use a protected/unprotected version of a parent page. This would allow you to control what goes out and when.
精彩评论