Home/ Questions/Q 145599
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T08:27:08+00:00

How do you solve the infinite login loop problem when you are using cookieless

  • 0

How do you solve the infinite login loop problem when you are using cookieless sessions and cannot change the name of login.aspx to a httphandler ?

i.e. When a user with admin rights hits the logout button and the return url to a restricted page is passed to login.aspx then another user without admin rights try’s to login they get redirected back to the login page.

I have come across this solution but I cannot change the name of login.aspx to a http handler, and the isauthenticated function doesn’t seem to work in the aspx page with cookieless auth because the forms auth ticket seems to be stripped from the url when redirected back to the login page.

EDIT:

Because this application is already in production I cannot alter the page flow of the login/logout/timeout process or rename the login page.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Check if the user is authorized to access the page in the returnUrl, after log in on the login.aspx page. You might use this method of the UrlAuthorizationModule (or a custom one if it works best for you):

    System.Web.Security.UrlAuthorizationModule.CheckUrlAccessForPrincipal(       returnUrl,      userPrincipal,       GET');

    If the user isn’t authorized, just redirect to a page that the user can access.

    To get the user Principal:

    var roles = System.Web.Security.Roles.GetRolesForUser(username);  var principal = new System.Security.Principal.GenericPrincipal(     new System.Security.Principal.GenericIdentity(username),      roles  );
    • 0