1

We have a straight forward ASP.NET web application with a login page. After the user enters credentials and submits the form, the server processes the details and if successful, Response.Redirect()'s the user to the Main Menu page. (We also have a navigation bar where the user can navigate to other pages via similar response.redirects)

One of our customers is setting up an IBM Data Power Web Application Firewall, and has told us this Redirect after a POST is an RFC violation and consequently the application does not work.

There are a few questions here that are related to Get/Post/Redirect, and they indicate that its up to the discretion of the browser to use the 302 response as a get or a post. I have also found other links on the public internet that lead me to believe this something the IBM device could be configured to handle.

Before I suggest changing the IBM device configuration, are there any configuration based (or simple code) ways to make a trivial login page (not using the asp.net login control) work where a GET request can send the login credentials, or make all postbacks in the site use a GET instead of POST?

Also, if anyone has tips for working with this IBM device, they would be appreciated.

An example of the code...

var userName = txtUserName.Text.Trim();
var password = txtPassword.Text.Trim();
var authResult = GetAuthService().AuthenticateUser(userName, password);
if (authResult == true)
{
 //set forms auth cookie
 Response.Redirect("Menu.aspx", false);
}
else
{
 lblError.Text = "Unable to login";
}
StingyJack
  • 19,041
  • 10
  • 63
  • 122
  • I don't think there's a mechanism for this, no. Since there's a *lot* more data in a WebForms post-back than just a couple of text inputs. You could code a workaround on the page to check `Request.QueryString` as a fallback for the control inputs, just as a one-off for this customer. Though this customer really should try to honor redirect requests, or they're going to run into a lot of problems with web applications. (Specifically, they won't be able to use pretty much *any* WebForms application.) – David Oct 19 '15 at 20:40
  • `GET` as I'm sure you know is supposed to be idempotent. Therefore converting all `POST`s to `GET`s is a an even bigger 'violation' of standard. Which RFC violation is your customer specifically referring too? From memory the user agent only needs to be advised if the redirect involves further non-idempotent processing i.e. is not a `GET`. How many users are in a position to even make that call, if they were prompted on every redirect to 'allow' this or that? Converting all `POST` to `GET` is just absurd. I'd make sure there is nothing 'political' to the request... sounds like a runaround. – rism Oct 20 '15 at 04:39
  • @rism - he didnt say which RFC, only that "I had apparently never bothered to read any". =/ – StingyJack Oct 20 '15 at 17:03

1 Answers1

1

A POST followed by a redirect is a usual mechanism found in many implementation. For example, consider using JAAS authentication. You present a form to a user and it is posted on '*/j_security_check' URL. Once authenticated you are redirected to a resource page, else you are re-directed to an error page.

I am not sure what is configured on datapower, but if your developer is using MPGW construct for this, then he can try playing around with two properties found in 'Advanced' tab of it. One is 'follow redirects' and another one is allow 'empty request'.

May be this helps you.

Ajitabh Sharma
  • 101
  • 3