Developer technologies | ASP.NET Core | Other
A set of technologies in .NET for building web applications and web services. Miscellaneous topics that do not fit into specific categories.
Enable Session POST Request
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 79%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Salvatore Rizzo
21
Reputation points
I have a ASP.Net 4.5 based webform application, the requirement is in a certain page I need to submit the form to a url (external url) outside my application with some parameters, I need to submit a return url (it will be the 'current page url of my application), the application running on that (external url) will process the data coming from the form and redirect to the return url, now the problem is when it gets that post callback (from external url) in my session, my application redirects it to the login page although the session is still valid (if I recall the url in GET I display the page correctly). Can anyone help me why it redirects me to the login page?
Developer technologies | ASP.NET Core | Other
-
AgaveJoe 31,361 Reputation points2023-06-22T15:40:14.97+00:00 If I understand correctly, a Web Form sends an HTTP Post to an external URL. The external services process the form data and returns a redirect (301) to the browser. When the browser follows the redirect URL, the request is not authorized which causes the application to redirect to the login page.
Unfortunately, it is not clear how your authentication/authorization works. If you are using cookie authentication, the redirect indicates the authentication cookie was not found. This can be due to redirecting to http rather than https, the user's session has timed out or the application recycled.
Or perhaps the remote server is not redirecting but doing a post back which you mentioned as well?
Is there anyway you can provide example code that reproduces this issue?
-
Salvatore Rizzo 21 Reputation points
2023-06-23T07:27:29.24+00:00 My site uses cookie authentication. Once logged in, the user fills out the form and sends it via post to an external URL. The external services process the data and present a form to the user. The user fills in the data in the form and upon submit they return a POST redirect to my site. When the site executes the redirect url, it causes the application to redirect to the login page.
If I manually write the url (therefore in GET) of the return page from the external site, I visualize it correctly as the session is still active.
The external site is a payment gateway
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 36%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELH%3C/text%3E%3C/svg%3E)
Lan Huang-MSFT 30,211 Reputation points Microsoft External Staff2023-06-23T09:32:56.0266667+00:00 Hi @Salvatore Rizzo,
As AgaveJoe said:If you are using cookie authentication, the redirect indicates the authentication cookie was not found. This can be due to redirecting to http rather than https, the user's session has timed out or the application recycled.
Redirects (3xx) are in "other" responses, so they should be handled by the browser, which may then remove them for various reasons. One of the reasons browsers reject cookies is that the domain attribute of the cookie is specified without enough dots (such as "localhost"), or the path attribute of the cookie does not match the actual path case in the URL. (The path to the cookie is case sensitive).Browsers only send cookies back to pages in the same domain as the page that set the cookie.
Some troubleshooting steps you can take:
- Remove the redirect and just return an empty view and see if the cookie is there
- Do not set Secure to true and see if that's the issue
- Use fiddler to look at the actual http response for the cookie in case your browser is preventing cookies
-
Salvatore Rizzo 21 Reputation points
2023-06-23T10:51:36.9966667+00:00 Thanks Lan Huang-MSFT:
If you suggest that the authentication cookie was not found, then why if I manually write the url of the page do I display it correctly with the session?
The redirect to the login page (loginUrl property of the authentication/forms tag of the web.config).
I'm not in localhost, I keep this problem in production.
The ideas I came up with are:
do I need to enable CORS?
do I have to enable receiving post requests on the page?
What do you mean by "Don't set Secure to true and see if that's the problem"?
-
AgaveJoe 31,361 Reputation points
2023-06-23T11:23:57.33+00:00 If you suggest that the authentication cookie was not found, then why if I manually write the url of the page do I display it correctly with the session?
The community cannot answer this question. We do not have the code, the redirect URL, or the payment gateway documentation. You said the site uses cookie authentication. All we can to is list the reasons why the browser is not sending the cookie.
do I need to enable CORS?
Cross Origin Request Sharing (CORS) Is browser security that does not allow JavaScript HTTP responses from a domain other than the domain that rendered the JavaScript. I'm not sure how CORS has anything to do with this problem.
do I have to enable receiving post requests on the page?
There is nothing to enable. Plus, the process you've described requires the payment gateway to return a self submitting form to the browser. It is possible the payment gateway application returns a self submitting form but it is unusual. It's more common to return a redirect to the browser.
At this point, your responses is odd enough to question how your code works. Is there any way you can provide example code?
Also, the browser's developer tools has a network trace utility that can record the HTTP requests/responses. The HTTP data will show clearly what's happening in the transactions between the browser, the payment gateway, and your web forms application.
-
Salvatore Rizzo 21 Reputation points
2023-06-23T12:42:23.0466667+00:00 Thank you for your help,
Here are some code snippets:
Authentication:
FormsAuthentication.RedirectFromLoginPage(userName, true);Form to the external site:
NameValueCollection data = new NameValueCollection(); data.Add("v1", "val1"); data.Add("v2", "val2"); HttpHelper.RedirectAndPOST(this.Page, "http://DestUrl/Default.aspx", data);Code by: Redirect and POST in ASP.NET
The page the user should return to on my website is absolutely empty, the Page_Load is completely empty.
In my opinion the problem is in returning to my website in POST. If I write the url of the page and press enter, it works correctly and I stay logged in. -
AgaveJoe 31,361 Reputation points
2023-06-23T14:08:53.6633333+00:00 I think you misunderstand the tutorial or how your payment gateways works. The tutorial creates a self submitting form that post an HTTP Form to the destinationUrl URL. The destinationUrl URL is NOT the return URL. Secondly, Web Forms wraps everything in an HTML form. The tutorial could easily create a nested form which is invalid HTML.
In my opinion the problem is in returning to my website in POST.
I doubt your payment gateway is generating a self submitting form that posts back to your site. A more likely scenario is your payment gateway is a standard REST service that accepts an application/x-www-form-urlencoded content-type.
If your payment gateway processes user payments on their site, then usually there is a configuration when you signed up that asks for the return URL (back to your site). If the payment gateway allows you to submit a return URL then that data would be one of the items in the NameValueCollection.
Unfortunately, you have not provided enough information for us to figure out exactly what's wrong but it seems like a misunderstanding.
-
Salvatore Rizzo 21 Reputation points
2023-06-23T14:45:51.4933333+00:00 No, it's not a misunderstanding.
The form that I prepare and send to the gateway works correctly (in fact I see the amount to pay).
In the form that I prepare and send, I also send URL_OK, URL_Cancel and URL_Notify.
If the user makes the payment correctly, he gets the redirect to the URL_OK page, otherwise if he cancels the operation, the redirect to my site takes place towards URL_Cancel.
Using the browser tool I see the payload containing the data in POST when the user returns to my site.
If it helps I noticed that ASP.NET_SessionId is different between the one my site had before going to the external site with the one my site always had when it came back.
-
AgaveJoe 31,361 Reputation points
2023-06-23T15:21:34.9733333+00:00 If it helps I noticed that ASP.NET_SessionId is different between the one my site had before going to the external site with the one my site always had when it came back.
ASP.NET_SessionId is for Inproc Session (Session["MyData"]) not the authentication cookie. If you never set Session, then the ID changes on every response. Once Session is set (Session["MyData"] = "MyData") then the ID is set.
Using the browser tool I see the payload containing the data in POST when the user returns to my site.
Again, the browser controls cookies. I can only guess what's wrong as I cannot reproduce this issue and I can't read the payment gateway documentation. Is the URL_OK https?
-
Salvatore Rizzo 21 Reputation points
2023-06-24T00:15:18.33+00:00 Yes, the URL_OK is https.
The payment gateway is MyPos, I'm implementing their checkout service.
Sign in to comment
Sign in to answer