Vulnerability in EPiServer.Forms
We have an EPiServer 7.5 site set up using the multiplexing provider. The first provider is a custom one, the second is the WindowsMembershipProvider.
We also have a custom login page specified in the forms authentication config:
The issue we have is: when an editor is editing a page and their session expires (can be set by altering the timeout in the forms authentication snippet above), the user is not redirected to our custom login page. They instead get a dialog box appear prompting them to log in again. This login box does not seem to work with our custom MemberhsipProvider. It will not log our editors back in.
Is there a way we can get the login dialog box to work with our multiplexing provider, or disable the dialog box and redirect the user to the login page?
Is this a bug with EPiServer 7.5?
Any help appreciated.
Hi Paul! Do you have any non standard ASP.NET authentication logic in your custom login page (other than Membership.ValidateUser and FormsAuthentication.SetAuthCookie calls)?
I can't really see anything that would affect ASP.NET Authentication. We are essentially calling Membership.ValidateUser and FormsAuthentication.SetAuthCookie on our custom login page, along with some validation logic and logging.
What confuses me is the fact that our Custom Membership Provider code doesn't get called from EPiServer's login dialog box.
Interestingly, I can log in fine using /Util/Login.aspx, so that is using our Custom Membership Provider ok.
Ok, not sure but that sounds like a bug to me.