PDA

View Full Version : Redirect from whithin httphandler


ets
13 Apr 2007, 6:09 AM
Hi all
I have the followen situation:

I have design a Ext.Form basicaly a Login Form, when the user click the button login, I call
formLogin.submit(.....

This is my form defination:

formLogin = new Ext.Form({
labelAlign: 'right',
labelWidth: 75,
url:"/mysite/login.ashx"
});

and then the HttpHandler (login.ashx) validate the Login and Password, if there are some error return a JSON data indicating the error, if every thing is OK I want to redirect to another page and here is the problem:

context.Redirect("/mysite/FirstPage.aspx", false);

This redirection Respond with Firstpage.aspx but the Handler Call expect a JSON data and an error is produced.

There are a way to redirect from the httpHandler and not from javascritp code?
For security reason I don't want to make :

window.location = "/mysite/FirstPage.aspx";

Thank in anvanced
Daniel
MrKurt
13 Apr 2007, 6:14 AM
You'll need to do the window.location thing if you want the user redirected to a different page. That's not any less secure than using context.Redirect, so don't worry about it.

There's no other way to do it.
franklt69
14 Apr 2007, 5:13 AM
Hi MrKurt, Why you said: That's not any less secure than using context.Redirect

I think when I do the Redirect from the server, the client don't know about which page I am going, using the the window.location the client open the .js and know if the login is success, the program will go to x page, to me is less secure than using context.Redirect.

what do you think?

kind regards
Frank
MrKurt
14 Apr 2007, 6:40 AM
Response.Redirect just sends the new location back to the client in the response header. Even if the browser doesn't update the address bar (which it should), it's just as easy to see that as it is to pop open the javascript.
franklt69
14 Apr 2007, 8:26 AM
MrKurt I am agreed, but if in the page load I do it:

if (userIsLoggedOk)
{
Redirect('Mainpage.aspx')
}

I mean I only do the redirect when the user type the username, and password right, in other case the user wacth the login page with a error, "Invalid password, try again".

I think the user never know the Mainpage.aspx exist.

kind regards
Frank
MrKurt
14 Apr 2007, 3:26 PM
It's a client side redirect. It's trivial to figure out which URL the server's sending you to, most of the time as easy as seeing it in the address bar. If Mainpage.aspx isn't secured by some other mechanism (Forms based ASP.NET auth, for instance), the Redirect isn't going to help you.

Have a look at the headers in Firebug when you login. You'll see the URL Response.Redirect sends you to.