ASP.Net MVC ReturnUrl Practice
Posted
by Terry
on Stack Overflow
See other posts from Stack Overflow
or by Terry
Published on 2010-05-24T21:19:56Z
Indexed on
2010/05/24
21:21 UTC
Read the original article
Hit count: 524
I have a question about the returnUrl querystring parameter that is appended by ASP.Net when attempted to hit a page that requires authentication. In looking at Microsoft NerdDinner Sample's LogOn action (along with every other 'sample authentication code' I see on the 'net), it just has the ReturnUrl parameter declared in the action's signature and uses it directly in a Redirect() call. However, back in the WebForms days and using Membership Controls, we use to use the FormsAuthentication.GetReturnUrl() call. Besides returning the 'default url' if no url was specified in the querystring, it also does a few security checks (Cross App Redirect and 'IsDangerousUrl()'). Are those no longer a concern or are all the sample 'log on' actions I'm seeing all over the 'net just ignoring those issues?
© Stack Overflow or respective owner