Bypassing forms authentication when a query string is passed

In ASP.Net, is anyone aware of a way to bypass Forms Authentication if a specific query string parameter is passed in?

Such as:

mydomain.com/myprotectedpage.aspx

...I would like to be protected by Forms Authentication (and so, redirected to login page)

mydomain.com/mypr开发者_如何学Gootectedpage.aspx?myBypassParameter=me

...I would like the page to render as normal

Is this at all possible?

Not really any "official" way of doing it.

You could do what I do, is have a base page instead of system.web.ui.page like so:

Public MustInherit Class ProtectedPage
Inherits System.Web.UI.Page

Private Sub Page_InitComplete(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.InitComplete
    If User.Identity.IsAuthenticated = False Then
        If String.IsNullOrEmpty(Request.QueryString("myBypassParameter")) Then
            FormsAuthentication.RedirectToLoginPage()
        End If
    End If
End Sub

End Class

In your code behind, you could simply use Request.QueryString["myBypassParameter"] and check its value. If it's an invalid value, then use FormsAuthentication.RedirectToLoginPage or a custom redirect to put the user back at the log in page. However, this doesn't seem like a secure method of protecting a page. What if someone got hold of the specific parameter and managed to gain access to your protected page? Also, you want to make sure that the QueryString value is valid (maybe by a regular expression) to ensure the user hasn't passed malicious code which will then be read by your application.

You might be able to jam some quick code into the Application_AuthenticateRequest event. You could then test for the parameter and adjust the User.Identity as necessary to allow the page. You'd have to put in a page check as well to make sure it didn't allow this behavior on all restricted pages.

I wouldn't recommend this design as an approach though. If you need to have a protected area accessed in an anonymous fashion, it'd be better to put all of your functionality into a UserControl and then use a protected/unprotected version of a parent page. This would allow you to control what goes out and when.