I have a problem with my project Asp.net mvc 1.0, with .net framework 2.0. My application is hosted on a IIS 7.5. My authentication form looks like this:
<authentication mode="Forms">
<forms protection="All" loginUrl="~/Account/LogOn" timeout="60" cookieless="UseUri" />
</authentication>
<httpRuntime executionTimeout="1000" maxRequestLength="600000" />
<sessionState mode="InProc" cookieless="UseUri" timeout="60">
</sessionState>
When a user connects to the webpage, he receives a session id which is stored in the URL. When I connect to my webpage with the default UserAgent (in every browser, Chrome/FF/IE) everything works fine. When I override the browser UserAgent and try to connect with the User agent XXXXXXXX.UP.BROWSER, I receive an infinite redirection loop to address
http://<IP>_redir=1
But when I connect to the default webpage IIS - the user agent doesn't matter and everything loads fine, so it must be a problem with the specified UserAgent and my Application. I tried to find any filters for that XXXXXXXX.UP.BROWSER UserAgent but there aren't any. When I studied application lifecycle I tried to find the differences between good connection and wrong connection and found that functions which are NOT executed are:
Application_AcquireRequestState
Application_PostAcquireRequestState
Application_PreRequestHandlerExecute
Application_PostRequestHandlerExecute
Application_ReleaseRequestState
Application_PostReleaseRequestState
Application_UpdateRequestCache
Application_PostUpdateRequestCache
and another clue I found is that there is no Session in "wrong" connection - Session object is null.
To sum it up: The connection to my application web page with a specified user agent makes an infinite redirection loop, probably because of the lack of the session ID. What could be the problem ?
EDIT: I discovered that User Agent that contains "UP.Browser" is related to mobile. When I changed cookieless to "UseCookies" everything works. Why option "UseUri" doesn't work for mobiles?
EDIT2 : /admin -> my webpage hosted on specified IP address.
Good connection :
Wrong connection:
Sorry, I don't know how to make these images bigger.
http://msdn.microsoft.com/en-us/library/aa479315.aspx
So you're putting two different values into the URI, one for session and one for forms, which would probably create a lengthy URI:
"The principal limitation of this feature is the limited amount of data that can be stored in the URL. This feature is not targeted at common browsers such as IE, since these do support cookies and do not require this feature. The browsers that do not support cookies are the ones found on mobile devices (such as phones), and these browsers typically severely limit the size of the URL they support. So, be careful when you use this feature—try to make sure that the cookieless string generated by your application is small."
My guess is that the key to the infinite redirect loop is this functionality:
"// Step 5: We can't detect if cookies are supported or not. So, send a
// challenge to the client. We do this by sending a cookie, as
// well as setting a query string variable, and then doing a
// redirect back to this page. On the next request, if cookie
// comes back, then Step 3 will report that "cookies are
// supported". On the other hand, if the next request does not
// have any cookies, then Step 4 will report "cookies not
// supported".
SetAutoDetectionCookie();
Redirect(ThisPage + Our_auto_detect_challenge_variable);"
Unfortunately, this sounds like a bit of an architecture rethink, as it's probably going to now matter what the full path to your site is and you may have to drop automatic handling of forms authentication.
As you said the issue is for mobile browsers, I think this issue is limited to the devices(MOBILE) where the cookies are not supported and the Size of the URL increases and mobile browser severely limit that size, as mentioned in the MSDN reference article above.
My solution was to change User Agent containing "UP.Browser" to something else using rewrite rule. Everything works fine ;)
Edit: I found another clue.
In mobile browser - these with user agents containing "UP.Browser", it was necessary to add slash at the of the address.
In conclusion:
Everything works fine for user agents not related with "UP.Browser".
User agents containing "UP.Browser" needed address like:
http://addr/controller/
I don't know why it is necessary. Any ideas?
Related
I am trying to setup a social login for my site.
Here is what I did:
I created credentials on google and have both ClientID and Secret
In default MVC app, in App_Start Startup.Auth.cs I uncommented
app.UseGoogleAuthentication()* method, so it looks like this:
Build solution!
Made sure authorized JavaScript origins and Redirect url are correct. And other things that are needed on console.cloud.google.com are done. Including activation of Google+ API
Eventually Google authentication button should appear in _ExternalLoginsListPartial partial view. But as I can see I have 0 login providers still. And not sure why, and what can I do about it?
var loginProviders = Context.GetOwinContext().Authentication.GetExternalAuthenticationTypes();
//loginProviders.Count() here returns 0
Tried researching, but most are saying that you forgot to build, or restart the server. Tried that but nothing changed.
As last resort, I tried following a tutorial https://youtu.be/WsRyvWvo4EI?t=9m47s
I did everything as shown there, I should be able to reach api/Account/ExternalLogins?returnUrl=%2F&generateState=true url, and receive callback URL from Google.
But I got stuck with same HTTP404 error at 9:50
To answer my question, everything turns out to be fine.
All I had to do was just to give it some time.
After couple of hours, Google provider appeared on the page.
For future readers - if met with 404 in this case, another possibility is an active filtering rule against query strings in IIS. One of the commonly copy-pasted rules aiming to block SQL injection requests scans the query string for open (to catch OPEN cursor). Your OAuth request probably contains this word in the scopes section (data you want to pull from the Google profile)
IIS -> Request Filtering
Switch to the tab "Rules"
Inspect and remove any suspicious active filters there
Hi I hope someone can help me out here.
I have a Web Application (asp.net) on my local machine, I am trying to upload video to YouTube using this sample https://developers.google.com/youtube/v3/code_samples/dotnet#upload_a_video
I have set up client id and secret for Web application in Google console when I try to upload video a browser tab opens to select one of my google accounts and once I sig in I get redirect_uri_mismatch the response details on that page are below:
cookie_policy_enforce=false
scope=https://www.googleapis.com/auth/youtube.upload
response_type=code
access_type=offline
redirect_uri=http://localhost:55556/authorize/
pageId=[some page id removed here for security reasons]
display=page
client_id=[some unique id removed here for security reasons].apps.googleusercontent.com
one interesting thing is that the redirect_uri=http://localhost:55556/authorize/ is completely different from the one set up in Google console and the one in client_secrets.json also each time I get the error page the port number changes.
redurect urls and origins are set as follows in Google console I think I have added all combinations just in case:
Authorized redirect URI
http://localhost/
https://localhost/
http://localhost:50169/AddContent.aspx
https://localhost:50169/AddContent.aspx
http://localhost:50169
Authorized JavaScript origins
http://localhost/
https://localhost/
http://localhost:50169/
https://localhost:50169/
I am not sure why redirect-uri on the error page does not match any of the
Authorized redirect URI I have specified in Google console ? any ideas ?
Also is it possible that everything is set-up correctly in Google console and my code but this error is triggered by something else like maybe I missed some setting on my you tube account ? I did not make any setting changes since I don't think I have to is that correct ?
Ok I belive that direct video upload to the website owner account is no longer supported in YT API v3.0 according to those posts.
Can YouTube Direct Upload to a Common Account for All Users?
How can I get the youtube webcam widget to upload to one account using API?
Shame, I think I will need to host the videos that users upload on my servers.
However the original issue was fixed by adding this URI to the redirect URIs in the developer console
http://localhost/authorize/
Google OAuth 2 authorization - Error: redirect_uri_mismatch
I got it to work by setting the Redirect URIs to exactly this:
http://localhost:50517/signin-google
Note:
- it does not work with a trailing slash
- port number is whatever your visual studio is assigning
- I set JavaScript Origins to:
http://localhost:50517/
With you, though, would be nice if someone actually documented this somewhere...
You should look into your code where you create the authorization URI. You need pass one of the redirect URIs you registered with Google developer console. I guess you're using some OAuth2 library which uses the localhost:port/authorize as the default redirect URI. The port changes because each time you start your local server, it picks a different port number. To fix it, you should specify a port number when starting it, for example, 8080. Then you should register localhost:8080/AddContent.aspx in Google developer console and pass it to whichever library you use to create the authorization URI.
I experienced a similar problem when trying to setup the quickstart app for the Drive REST API. I kept getting the redirect_uri_mismatch error and the port number with that error kept changing. The fix for me was to change the redirect URI in the Google Developers Console for my app to not include the port number.
There is a really easy way to get round this and I kicked myself when it dawned on me.
I am using "Web Application" credentials - you'll want the credentials manager open btw.
Run the DotNet sample app and let the browser open (I get the "Select An Account" page) - then look in the URL for the redirect URI that's been automatically generated by Google's code something like:
redirect_uri%3Dhttp://localhost:62041/authorize/
Then just go to the credentials manager and add this URL to the allowed list and save. Now select your google account and see what happens - it takes a few minutes for the API to update - if you get the redirect error page just hit back and select you account again - eventually it works and returns back to visual studio.
Once the account has been authorised once it sticks (clear the bin directory to unstick it) but this means you can now put a break point in the code and look at the credentials variable to get the refresh token everyone is so desperately trying to get so that you can persist account connections.
Previously, when I tried to do an ajax call to an ashx as a non-superuser account (i.e. as portal specific user) my web server would return cookies to clear my authorization. I posted a question about this and it seemed the answer was to make sure that the portalid=xx was specified in my GET parameters.
However, I have just found out that if I add portalid=xx in a POST request, DotNetNuke seems to ignore and and log out any non-superuser account.
How can I keep authorization during DNN POST ajax requests?
I think I have a good handle on the whole situation, and unfortunately it appears that the only true solution is to make sure each child portal has its own subdomain rather than a sub-url (e.g. portal.domain.com rather than domain.com/portal).
The problem is that when your portal 0 is domain.com but portal 1 is domain.com/portal everything works correctly until you need to access an .ashx file via ajax. What happens then is the URL that's requested is instead domain.com/DesktopModules/MyModule/Handler.ashx, which does not contain the /portal/ in it, thus causing DNN to think you are doing a request on portal 0 and logging you out.
While GET requests can overcome this with a portal=1 parameter, this does not seem to work for POST requests.
Therefore, the best solution it seems is to have your portal on a distinct subdomain (portal.domain.com), and then you don't risk missing something like this.
I've found a few things for you to check out and see if any of them solve your problem.
Make sure you are using a ScriptManagerProxy. This allows ascx pages to use AJAX while the parent page is also using AJAX.
There have been many reports of people not being able to run AJAX with DNN if Page State Persistence is set to "Memory". Those who experience this have been able to fix it by switching Page State Persistence to "Page". The easiest way to do this is to run this query:
update HostSettings
set SettingValue='P'
where SettingName='PageStatePersister'
After you run that, you'll need to recycle the application. If you don't have access to the server, just add a space or carriage return to your web.config file (that will force the app to recycle).
Lastly, you might see if you have this line in your web.config. Sometimes removing it will help:
<system.web>
<xhtmlConformance mode="Legacy" />
</system.web>
I have the page:
~/forum/forum_faq.html
In my logs I've seen 404 requests to:
~/forum_faq.html
For some reason, so I attempt to fix it with this rule:
<rewrite url="~/forum_faq.html$" to="~/Handlers/PermRedirect.ashx?URL=forum/forum_faq.html" processing="stop" />
The perm redirect file just does a 301 redirect to the given location. When this rule isn't there, I can access forum/forum_faq.html just fine. When I add the rule, I get a:
This web page has a redirect loop The web page at
http://127.0.0.1/forum/forum_faq.html has resulted in too many
redirects. Clearing your cookies for this site or allowing third-party
cookies may fix the problem. If not, it is possibly a server
configuration issue and not a problem with your computer.
Any ideas what's going on?
Is suspect what is happening is Forum is an ASP.NET application in IIS. Your ~/forum_faq.html$ is therefore matching the path /forums/forum_faq.html sending it via your handler which then redirects to /forum/forum_faq.html in an infinite loop.
I have a situation in which there is a login page.After successfully logging in,i 'm redirected to http:\localhost\default.aspx.I want that after logging in my browser url should look like www.abc.com but the pa ge opened would be http:\localhost\default.aspx.I'm not able to do this using URL rewriting
Unfortunately, this is not possible for internet users - you can't 'fake' the URL that your user is looking at. Otherwise evil-doers could re-write 'www.istealyourmoney.com' as 'www.trustworthybank.com', etc.
The only possible option I can think of is if your users are all on the same local area network. In that case, you can add an entry to your HOSTS file with www.abc.com aliased to 'localhost'.
As said by JBRWilkinson this is not generally possible, however if you want to do this just to help you build out a site while you work on it locally, add an entry to your HOSTS file (on Windows: C:\Windows\System32\Drivers\Etc\Hosts) that maps www.abc.com to 127.0.0.1. You want to add a line that looks like this to the end of the file:
127.0.0.1 www.abc.com
Then you can access your local development website with the URL www.abc.com. Note that this will also block access to the live version of that website on your machine.
can't we achieve using IIS url rewrite?
http://www.codinghorror.com/blog/archives/000797.html