Home/ Questions/Q 6989943
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T19:16:50+00:00

what is the best approach to prevent open redirection attacks.Currently i am developing asp.net

  • 0

what is the best approach to prevent open redirection attacks.Currently i am developing asp.net website.I want to make sure not to redirect the users to external links up on successful login?

Edit: Is it possible implement the solution without changing the existing code?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m assuming you’re using the login control.
    You should hook-up a check that the ReturnUrl parameter is a local url (and not one pointing to a different domain). The loggedin event would be a good place to do something like this:

    void OnLoggedIn(object sender, EventArgs e)
{
    string returnto = Request.QueryString["ReturnUrl"];
    if (returnto != "" and isLocalUrl(returnto)) Response.Redirect(returnto);
}

    where you can use the definition of IsLocalUrl given here

    private bool IsLocalUrl(string url)
{
    if (string.IsNullOrEmpty(url))
    {
        return false;
    }

    Uri absoluteUri;
    if (Uri.TryCreate(url, UriKind.Absolute, out absoluteUri))
    {
        return String.Equals(this.Request.Url.Host, absoluteUri.Host, 
                    StringComparison.OrdinalIgnoreCase);
    }
    else
    {
        bool isLocal = !url.StartsWith("http:", StringComparison.OrdinalIgnoreCase)
            && !url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)
            && Uri.IsWellFormedUriString(url, UriKind.Relative);
        return isLocal;
    }
}
    • 0