1

I only want users with an LocationId to be able to acces my controller methods. On the location index page the users enter their id, which is saved in a cookie.

If a user tries to acces an page without, the user should be redirecteded to the location index page. This almost work, but I have a problem with the redirect.

I am using asp net core 2.0.

My controller looks like this

[AllowAnonymous]
public class LocationController : Controller
{
...
    [HttpGet]
    public IActionResult Index()
    {
        return View();
    }

    [HttpPost]
    public async Task<IActionResult> Index(string id)
    {
        ILocationModel location = await _repo.GetLocation(id);
        if (location != null)
        {
            var claims = new List<Claim> { new Claim(ClaimTypes.Name, location.id) };
            var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
            await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(claimsIdentity));
            return RedirectToAction("index", "shop");
        }
        return RedirectToAction("", "");
    }

And in configureServices() in startup I have:

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie(options =>
        {
            options.ReturnUrlParameter = "";
            options.AccessDeniedPath = "/Location/Index/";
            options.LoginPath = "/Location/Index";
            options.LogoutPath = "/Location/Logout";
        });

        services.AddMvc(config =>
        {
            var policy = new AuthorizationPolicyBuilder()
                             .RequireAuthenticatedUser()
                             .Build();
            config.Filters.Add(new AuthorizeFilter(policy));
        });

When I access an page unauthorized I get redirected to http://localhost:54104/Location/Index?=%2FLocation%2FIndex%3F%3D%252FLocation%252FIndex%253F%253D%25252FLocation%25252FIndex%25253F%25253D%2525252FLocation%2525252FIndex%2525253F%2525253D%252525252FLocation%252525252FIndex%252525253F%252525253D%25252525252FLocation%25252525252FIndex%25252525253F%25252525253D%2525252525252FLocation%2525252525252FIndex%2525252525253F%2525252525253D%252525252525252FLocation%252525252525252FIndex%252525252525253F%252525252525253D%25252525252525252FLocation%25252525252525252FIndex%25252525252525253F%25252525252525253D%2525252525252525252FLocation%2525252525252525252FIndex%2525252525252525253F%2525252525252525253D%252525252525252525252FLocation%252525252525252525252FIndex%252525252525252525253F%252525252525252525253D%25252525252525252525252FLocation%25252525252525252525252FIndex%25252525252525252525253F%25252525252525252525253D%2525252525252525252525252FLocation%2525252525252525252525252FIndex%2525252525252525252525253F%2525252525252525252525253D%252525252525252525252525252FLocation%252525252525252525252525252FIndex%252525252525252525252525253F%252525252525252525252525253D%25252525252525252525252525252FLocation%25252525252525252525252525252FIndex%25252525252525252525252525253F%25252525252525252525252525253D%2525252525252525252525252525252FLocation%2525252525252525252525252525252FIndex%2525252525252525252525252525253F%2525252525252525252525252525253D%252525252525252525252525252525252FLocation%252525252525252525252525252525252FIndex%252525252525252525252525252525253F%252525252525252525252525252525253D%25252525252525252525252525252525252FLocation%25252525252525252525252525252525252FIndex%25252525252525252525252525252525253F%25252525252525252525252525252525253D%2525252525252525252525252525252525252FLocation%2525252525252525252525252525252525252FIndex%2525252525252525252525252525252525253F%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FLocation%252525252525252525252525252525252525252FIndex%252525252525252525252525252525252525253F%252525252525252525252525252525252525253D%25252525252525252525252525252525252525252FLocation%25252525252525252525252525252525252525252FIndex

witch causes an HTTP Error 404.15 - Not Found The request filtering module is configured to deny a request where the query string is too long.

Why is all this appended to the path?

Nkosi
  • 235,767
  • 35
  • 427
  • 472
skrl
  • 47
  • 2
  • 6

1 Answers1

0

I had the same problem. It's creating an infinite loop. You have to set a RedirectUri in a AuthenticationProperties object, in your index method (the HttpPost one). Like so: 

var auth = new AuthenticationProperties()
            {
                RedirectUri = "/index/shop"
            };

It could be like:

[HttpPost]
    public async Task<IActionResult> Index(string id)
    {
        ILocationModel location = await _repo.GetLocation(id);
        var auth = new AuthenticationProperties()
            {
                RedirectUri = "/index/shop"
            };

        if (location != null)
        {
            var claims = new List<Claim> { new Claim(ClaimTypes.Name, location.id) };
            var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
            await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(claimsIdentity));
           // You have to create a ChallengeResult, otherwise it will be stuck there, and you send the user to where you want to
           return new ChallengeResult("cookies", auth);
        }
        return new ChallengeResult("cookies", auth);
    }

For more info: https://dotnetcoretutorials.com/2017/09/16/cookie-authentication-asp-net-core-2-0/

taiko
  • 458
  • 6
  • 22