Vulnerability in EPiServer.Forms
I want to use separate login for our public extranet users and our webadmins, therefor i changed the loginurl in the web.config to a redirectpage, based on ReturnUrl i let the users come to my custom login OR the EpiServer (/util/login.aspx). But when i do that the EpiServer login don't work anymore, it looks like it should and it autenticate but i do not redirect to the CMS admin page. When i manualy write the admin URI i am authenticated.
ReturnUrl is specified to /util/login.aspx
The EPiServer login form uses the ReturnUrl to specify where the page should be redirected to after the form submission.What I think is happening is that your user is being authenticated but you are being redirected back to the same login page.The EPiServer login page doesn't redirect you itself - so it is possible to view that page whilst authenticated.
You need to make sure that your custom redirect page also passes through the ReturnUrl of the first request - so that if you redirect to the Episerver login page you see a url of the form /util/login.aspx?ReturnUrl=ui/edit (or whevere your edit / admin mode is bound)
Sorry i wasn't totaly clear, it does look like you describe, util/login.aspx?ReturnUrl=ui/edit, thats why it is weird it is not working. Any other idea?
Yes that is correct.
Yes the user has the right roles. I can log in from my custom login page.
The only thing that is changed is the loginUrl in web.config. Nevertheless this approach should work, doesn't it?
Strange, i did solve it by making a new custom default login page. /util/login.aspx didn't work anymore.
Hi. I am having the exact same problem. The user gets authenticated in the Util/Login.aspx page, but doesn't get redirected to the ReturnUrl. util/login.aspx?ReturnUrl=%2fui%2fCMS%2fedit%2fdefault.aspx
Okay, this seems to be the problem. instead of using:
<forms name=".EPiServerLogin" loginUrl="Util/login.aspx" timeout="120" />
I'm using a generic handler, redirecting the user to different login pages:
<forms name=".EPiServerLogin" loginUrl="LoginHandler.ashx" timeout="120" />
By doing this I apparently disable the automatic use of ReturnUrl if using an ASP.NET Login control (which is used in the EPiServer Login.aspx). So I guess the only way to get this to work is to create a new custom login page and deal with the ReturnUrl yourself.
I guess so, we solved it that way. Good luck.