Previously, when I tried to do an ajax call to an ashx as a non-superuser account (i.e. as portal specific user) my web server would return cookies to clear my authorization. I posted a question about this and it seemed the answer was to make sure that the portalid=xx was specified in my GET parameters.
However, I have just found out that if I add portalid=xx in a POST request, DotNetNuke seems to ignore and and log out any non-superuser account.
How can I keep authorization during DNN POST ajax requests?
I think I have a good handle on the whole situation, and unfortunately it appears that the only true solution is to make sure each child portal has its own subdomain rather than a sub-url (e.g. portal.domain.com rather than domain.com/portal).
The problem is that when your portal 0 is domain.com but portal 1 is domain.com/portal everything works correctly until you need to access an .ashx file via ajax. What happens then is the URL that's requested is instead domain.com/DesktopModules/MyModule/Handler.ashx, which does not contain the /portal/ in it, thus causing DNN to think you are doing a request on portal 0 and logging you out.
While GET requests can overcome this with a portal=1 parameter, this does not seem to work for POST requests.
Therefore, the best solution it seems is to have your portal on a distinct subdomain (portal.domain.com), and then you don't risk missing something like this.
I've found a few things for you to check out and see if any of them solve your problem.
Make sure you are using a ScriptManagerProxy. This allows ascx pages to use AJAX while the parent page is also using AJAX.
There have been many reports of people not being able to run AJAX with DNN if Page State Persistence is set to "Memory". Those who experience this have been able to fix it by switching Page State Persistence to "Page". The easiest way to do this is to run this query:
update HostSettings
set SettingValue='P'
where SettingName='PageStatePersister'
After you run that, you'll need to recycle the application. If you don't have access to the server, just add a space or carriage return to your web.config file (that will force the app to recycle).
Lastly, you might see if you have this line in your web.config. Sometimes removing it will help:
<system.web>
<xhtmlConformance mode="Legacy" />
</system.web>
Related
I am trying to setup a social login for my site.
Here is what I did:
I created credentials on google and have both ClientID and Secret
In default MVC app, in App_Start Startup.Auth.cs I uncommented
app.UseGoogleAuthentication()* method, so it looks like this:
Build solution!
Made sure authorized JavaScript origins and Redirect url are correct. And other things that are needed on console.cloud.google.com are done. Including activation of Google+ API
Eventually Google authentication button should appear in _ExternalLoginsListPartial partial view. But as I can see I have 0 login providers still. And not sure why, and what can I do about it?
var loginProviders = Context.GetOwinContext().Authentication.GetExternalAuthenticationTypes();
//loginProviders.Count() here returns 0
Tried researching, but most are saying that you forgot to build, or restart the server. Tried that but nothing changed.
As last resort, I tried following a tutorial https://youtu.be/WsRyvWvo4EI?t=9m47s
I did everything as shown there, I should be able to reach api/Account/ExternalLogins?returnUrl=%2F&generateState=true url, and receive callback URL from Google.
But I got stuck with same HTTP404 error at 9:50
To answer my question, everything turns out to be fine.
All I had to do was just to give it some time.
After couple of hours, Google provider appeared on the page.
For future readers - if met with 404 in this case, another possibility is an active filtering rule against query strings in IIS. One of the commonly copy-pasted rules aiming to block SQL injection requests scans the query string for open (to catch OPEN cursor). Your OAuth request probably contains this word in the scopes section (data you want to pull from the Google profile)
IIS -> Request Filtering
Switch to the tab "Rules"
Inspect and remove any suspicious active filters there
I have a website that contains links in different places, each link takes the user to a specific document.
Those links are hard-coded, which makes every update to the site very difficult.
Recently the documents were updated and we would like to update each old link with the corresponding new one.
For example
(http://www.domain.com/OnlineDoc/default.aspx#ItemID=3551)
needs to be updated to
(http://domain.docfactory.com/#!doc/Toolkits/Item1-Administration-Doc)
Each item document is determined using the ItemID.
What I'm trying to do is programmatically redirect each old link to it's corresponding new one.
I've tried to use the URL Rewrite module but it seems like it's ignoring everything after the "#", that is important because it determines which document we need to direct to.
My questions are:
Would the URL Rewrite module work? (having a fragment with "#")
If not, would the Http module work?
I'm trying to find a way to easily update the links, without going to each web app HTML and do it manually.
The fragment isn't sent to the server. It's accessible only to the browser. So you need a solution which involves the client-side.
But you can use the URL Rewrite Module in combination with client-side scripting in OnlineDoc/default.aspx that puts the fragment in the path or query part of the URL using a temporary client-side redirect. This makes the document item ID visible to the URL Rewrite Module, which can perform a permanent server-side redirect to the correct URL.
To clarify:
User requests /OnlineDoc/default.aspx#ItemID=123
Client-side scripting on this page issues a "temporary client-side redirect" (in actuality, just an automatic navigation) to /OnlineDoc/default.aspx?ItemID=123
User automatically requests /OnlineDoc/default.aspx?ItemID=123
URL Rewrite Module intercepts requests, and responds with a permanent redirect to docfactory.com/#!doc/Toolkits/Item1-Administration-Doc
User automatically requests docfactory.com/#!doc/Toolkits/Item1-Administration-Doc
The first redirect is temporary because you cannot make permanent redirects with client-side scripting. The second redirect is permanent because the new URL should always replace the old one.
The overall experience for users using this method could be a bit unexpected though, since users going to OnlineDoc will get redirected up to twice before they reach the intended document. Most users probably won't notice the second redirect, but the first will likely be noticable, if only slightly.
I am working on a c# .NET website in which the user can click on a link and get redirected to another web page in a separate website also owned by us. The code is very easy to understand, there is a switch followed by a call to Response.Redirect(the_url_we_want_to_go_to).
I have debugged it numerous times and I can confirm that when the debugger hits this redirect line that the parameter is correct. It points to the QA version of this other website. qa.samplesite.com lets say. However, the browser does not go there. The browser instead hits the test environment instead. Lets call it test.samplesite.com. This is the problem.
I understand there are a million things in between the app servers these two separate websites are on, but maybe one of you has seen something like this before. More specifically, is there a way to catch outbound traffic in the debugger or is there a way to see outbound traffic on the app server itself (in IIS)? I am familiar with intercepting inbound traffic inside of httpmodules. Maybe this isnt a stackoverflow question...
Thanks for your help!
Use the very nice HTTP sniffer "Fiddler". It will allow you to see all HTTP requests. You should verfiy that a) the redirect target is correct (it might be overwritten later in the request pipeline. A Response.Redirect is not the final word) and b) that you don't have a second redirect after the first one.
You can try using the overload of Response.Redirect as
Response.Redirect("url_here", true);
This will stop the response on current page (as endResponse is set to true) and redirect to the url.
If you still have the issue, then this might be some name resolution error.
Check to see you your hosts files in the windows directory found here
C:\Windows\System32\drivers\etc\hosts
Hope this will do it.
I finally figured a similar issue I had. It was quite silly. I had copied some .aspx pages making minor changes. The page where I tried to redirect the client, had it's "CodeBehind" setting wrong. So it redirected to the right page, but loaded the CodeBehind from another page!
I have the page:
~/forum/forum_faq.html
In my logs I've seen 404 requests to:
~/forum_faq.html
For some reason, so I attempt to fix it with this rule:
<rewrite url="~/forum_faq.html$" to="~/Handlers/PermRedirect.ashx?URL=forum/forum_faq.html" processing="stop" />
The perm redirect file just does a 301 redirect to the given location. When this rule isn't there, I can access forum/forum_faq.html just fine. When I add the rule, I get a:
This web page has a redirect loop The web page at
http://127.0.0.1/forum/forum_faq.html has resulted in too many
redirects. Clearing your cookies for this site or allowing third-party
cookies may fix the problem. If not, it is possibly a server
configuration issue and not a problem with your computer.
Any ideas what's going on?
Is suspect what is happening is Forum is an ASP.NET application in IIS. Your ~/forum_faq.html$ is therefore matching the path /forums/forum_faq.html sending it via your handler which then redirects to /forum/forum_faq.html in an infinite loop.
The site im working on is an Ajax enabled ASP.net/C# project and i have a URL like this:
http://localhost:2531/(S(lfcvqc55wkabpp55o1x4pvq5))/Logon.aspx
How do you get rid of the (S(lfcvqc55wkabpp55o1x4pvq5)) portion of the URL? I have a feeling its a web.config parameter however I'm not really sure what you call this part?
That is your SessionId - check the <sessionState> element in web.config and you will likely see <sessionState cookieless="true" />
Set that to false and see how it goes. But keep in mind that session state will then be tracked by setting a cookie. It is possible that the designer of the site had a valid reason for using the url to track session. You should probably ask someone.
If you simply don't like the way it looks and want it gone, but did not consider that it is purposeful, perhaps you should really talk to someone with a nameplate and a door before doing anything.