FormsAuthentication.RedirectFromLoginPage And Frames

[Johan Karlsson]

Hi!

I have a page called Login.aspx that handles login (takes username, pass and
compares to a database). If the user is authenticated,
FormsAuthentication.RedirectFromLoginPage is called and the page returns to
the returnUrl. Everything works fine!

BUT, (theres always a but) if I for some reason decide to put the above site
inside an iframe tag the page just resets if I type the correct username and
password. I still get error messages if I typ the wrong one. Exemple:
<iframe src="http://www.someurl.se/default.aspx">

Seems like there is a problem with the cookie that is supposed to get set?

Looking forward to any input into this problem.


Thanks!
Johan Karlsson

[Daniel Fisher\(lennybacon\)]

> BUT, (theres always a but) if I for some reason decide to put the above

> site inside an iframe tag the page just resets if I type the correct
> username and

YES!, There is always a BUT if you use frames.

;-)

Do you handle the AuthenticateRequests somehow?

--
Daniel Fisher(lennybacon)
MCP ASP.NET C#
Blog: [url]http://www.lennybacon.com/[/url]


"Johan Karlsson" <johan.no.spam.karlsson@adnome.no.spam.se> wrote in message
news:OP%23um4S$EHA.3820@TK2MSFTNGP11.phx.gbl...

> Hi!
>
> I have a page called Login.aspx that handles login (takes username, pass
> and compares to a database). If the user is authenticated,
> FormsAuthentication.RedirectFromLoginPage is called and the page returns
> to the returnUrl. Everything works fine!
>
> BUT, (theres always a but) if I for some reason decide to put the above
> site inside an iframe tag the page just resets if I type the correct
> username and password. I still get error messages if I typ the wrong one.
> Exemple: <iframe src="http://www.someurl.se/default.aspx">
>
> Seems like there is a problem with the cookie that is supposed to get set?
>
> Looking forward to any input into this problem.
>
>
> Thanks!
> Johan Karlsson
>
>
>
>

[Johan Karlsson]

Hi!

If I decided the frame would go, but the customers cms must have my part
inside of a frame so I don't have a choice. :(

The page is divided into 2 sections where the top frame only contains a
logotype and the bottom half the original system.

If I handle the AuthenticateRequests? I must say that I'm no security expert
so I only did what it says in the books. (the easy examples :) )

That is:

1) Get user and pass
2) Verify if valid or not
3) If valid, call FormsAuthentication.RedirectFromLoginPage(u.Login, False)

As stated before, this works in an "unframed environment". What is the
difference when running inside a frame comparing to a top level window?

I'm sure that the behavior has some very logical explanation and I'm really
curios to find out what it is.

Thanks!
/Johan


"Daniel Fisher(lennybacon)" <info@(removethis)lennybacon.com> wrote in
message news:%23n1ml0W$EHA.3824@TK2MSFTNGP10.phx.gbl...

>> BUT, (theres always a but) if I for some reason decide to put the above
>> site inside an iframe tag the page just resets if I type the correct
>> username and

>
> YES!, There is always a BUT if you use frames.
>
> ;-)
>
> Do you handle the AuthenticateRequests somehow?
>
> --
> Daniel Fisher(lennybacon)
> MCP ASP.NET C#
> Blog: [url]http://www.lennybacon.com/[/url]
>
>
> "Johan Karlsson" <johan.no.spam.karlsson@adnome.no.spam.se> wrote in
> message news:OP%23um4S$EHA.3820@TK2MSFTNGP11.phx.gbl...

>> Hi!
>>
>> I have a page called Login.aspx that handles login (takes username, pass
>> and compares to a database). If the user is authenticated,
>> FormsAuthentication.RedirectFromLoginPage is called and the page returns
>> to the returnUrl. Everything works fine!
>>
>> BUT, (theres always a but) if I for some reason decide to put the above
>> site inside an iframe tag the page just resets if I type the correct
>> username and password. I still get error messages if I typ the wrong one.
>> Exemple: <iframe src="http://www.someurl.se/default.aspx">
>>
>> Seems like there is a problem with the cookie that is supposed to get
>> set?
>>
>> Looking forward to any input into this problem.
>>
>>
>> Thanks!
>> Johan Karlsson
>>
>>
>>
>>

>
>

[Daniel Fisher\(lennybacon\)]

You must assigen the IPricipal in the OnAuthenticateRequest Method
(Global.asax).

--
Daniel Fisher(lennybacon)
MCP ASP.NET C#
Blog: [url]http://www.lennybacon.com/[/url]


"Johan Karlsson" <johan.no.spam.karlsson@adnome.no.spam.se> wrote in message
news:%23PmY5df$EHA.1604@TK2MSFTNGP12.phx.gbl...

> Hi!
>
> If I decided the frame would go, but the customers cms must have my part
> inside of a frame so I don't have a choice. :(
>
> The page is divided into 2 sections where the top frame only contains a
> logotype and the bottom half the original system.
>
> If I handle the AuthenticateRequests? I must say that I'm no security
> expert so I only did what it says in the books. (the easy examples :) )
>
> That is:
>
> 1) Get user and pass
> 2) Verify if valid or not
> 3) If valid, call FormsAuthentication.RedirectFromLoginPage(u.Login,
> False)
>
> As stated before, this works in an "unframed environment". What is the
> difference when running inside a frame comparing to a top level window?
>
> I'm sure that the behavior has some very logical explanation and I'm
> really curios to find out what it is.
>
> Thanks!
> /Johan
>
>
> "Daniel Fisher(lennybacon)" <info@(removethis)lennybacon.com> wrote in
> message news:%23n1ml0W$EHA.3824@TK2MSFTNGP10.phx.gbl...

>>> BUT, (theres always a but) if I for some reason decide to put the above
>>> site inside an iframe tag the page just resets if I type the correct
>>> username and

>>
>> YES!, There is always a BUT if you use frames.
>>
>> ;-)
>>
>> Do you handle the AuthenticateRequests somehow?
>>
>> --
>> Daniel Fisher(lennybacon)
>> MCP ASP.NET C#
>> Blog: [url]http://www.lennybacon.com/[/url]
>>
>>
>> "Johan Karlsson" <johan.no.spam.karlsson@adnome.no.spam.se> wrote in
>> message news:OP%23um4S$EHA.3820@TK2MSFTNGP11.phx.gbl...

>>> Hi!
>>>
>>> I have a page called Login.aspx that handles login (takes username, pass
>>> and compares to a database). If the user is authenticated,
>>> FormsAuthentication.RedirectFromLoginPage is called and the page returns
>>> to the returnUrl. Everything works fine!
>>>
>>> BUT, (theres always a but) if I for some reason decide to put the above
>>> site inside an iframe tag the page just resets if I type the correct
>>> username and password. I still get error messages if I typ the wrong
>>> one. Exemple: <iframe src="http://www.someurl.se/default.aspx">
>>>
>>> Seems like there is a problem with the cookie that is supposed to get
>>> set?
>>>
>>> Looking forward to any input into this problem.
>>>
>>>
>>> Thanks!
>>> Johan Karlsson
>>>
>>>
>>>
>>>

>>
>>

>
>

[Johan Karlsson]

Hi!

Could you give an example? Does this cause the behavior that is doesn't work
in frames but do work outside of frames?

Thanks
/Johan

"Daniel Fisher(lennybacon)" <info@(removethis)lennybacon.com> wrote in
message news:%23AEWevtBFHA.208@TK2MSFTNGP12.phx.gbl...

> You must assigen the IPricipal in the OnAuthenticateRequest Method
> (Global.asax).
>
> --
> Daniel Fisher(lennybacon)
> MCP ASP.NET C#
> Blog: [url]http://www.lennybacon.com/[/url]
>
>
> "Johan Karlsson" <johan.no.spam.karlsson@adnome.no.spam.se> wrote in
> message news:%23PmY5df$EHA.1604@TK2MSFTNGP12.phx.gbl...

>> Hi!
>>
>> If I decided the frame would go, but the customers cms must have my part
>> inside of a frame so I don't have a choice. :(
>>
>> The page is divided into 2 sections where the top frame only contains a
>> logotype and the bottom half the original system.
>>
>> If I handle the AuthenticateRequests? I must say that I'm no security
>> expert so I only did what it says in the books. (the easy examples :) )
>>
>> That is:
>>
>> 1) Get user and pass
>> 2) Verify if valid or not
>> 3) If valid, call FormsAuthentication.RedirectFromLoginPage(u.Login,
>> False)
>>
>> As stated before, this works in an "unframed environment". What is the
>> difference when running inside a frame comparing to a top level window?
>>
>> I'm sure that the behavior has some very logical explanation and I'm
>> really curios to find out what it is.
>>
>> Thanks!
>> /Johan
>>
>>
>> "Daniel Fisher(lennybacon)" <info@(removethis)lennybacon.com> wrote in
>> message news:%23n1ml0W$EHA.3824@TK2MSFTNGP10.phx.gbl...

>>>> BUT, (theres always a but) if I for some reason decide to put the above
>>>> site inside an iframe tag the page just resets if I type the correct
>>>> username and
>>>
>>> YES!, There is always a BUT if you use frames.
>>>
>>> ;-)
>>>
>>> Do you handle the AuthenticateRequests somehow?
>>>
>>> --
>>> Daniel Fisher(lennybacon)
>>> MCP ASP.NET C#
>>> Blog: [url]http://www.lennybacon.com/[/url]
>>>
>>>
>>> "Johan Karlsson" <johan.no.spam.karlsson@adnome.no.spam.se> wrote in
>>> message news:OP%23um4S$EHA.3820@TK2MSFTNGP11.phx.gbl...
>>>> Hi!
>>>>
>>>> I have a page called Login.aspx that handles login (takes username,
>>>> pass and compares to a database). If the user is authenticated,
>>>> FormsAuthentication.RedirectFromLoginPage is called and the page
>>>> returns to the returnUrl. Everything works fine!
>>>>
>>>> BUT, (theres always a but) if I for some reason decide to put the above
>>>> site inside an iframe tag the page just resets if I type the correct
>>>> username and password. I still get error messages if I typ the wrong
>>>> one. Exemple: <iframe src="http://www.someurl.se/default.aspx">
>>>>
>>>> Seems like there is a problem with the cookie that is supposed to get
>>>> set?
>>>>
>>>> Looking forward to any input into this problem.
>>>>
>>>>
>>>> Thanks!
>>>> Johan Karlsson
>>>>
>>>>
>>>>
>>>>
>>>
>>>

>>
>>

>
>