DNN Forums

Ask questions about your website to get help learning DNN and help resolve issues.

POST is not coming to .ashx

 3 Replies
 3 Subscribed to this topic
 22 Subscribed to this forum
Sort:
Author
Messages
New Around Here
Posts: 2
New Around Here

    Initial description:

    • DNN with 2 portals: ID = 1 and 2 with URL1 and URL2  , user myuser123 located in portal Id = 2
    • SSO.ashx handler processing SSO POST requests. All requests coming to URL1, and request body contains uername = "myuser123"
    • In SSO.ashx, code executes SSO: Loging user "myuser123" to portal Id = 2 and redirection to URL2

    Results: 1st requests works properly, 2nd request (the same) is not working because GET coming to SSO.ashx, not POST ; 3rd requests works prperly as 1st; 4th request coming with GET as 2nd and so on. It doesn't matter if you close browser before next request or not. and problem related to authentication cookie   

    Last resonse from GitHub:

    If I am not mistaken, the authentication cookie is valid for the authenticated portal alias. I think the proper way for this use case is to setup portal groups and then you get a single authentication domain for multiple portals. Unfortunately, there is currently no UI to manage portal groups. https://github.com/SCullman I am closing this issue and recommend discussing this special case in the new forums https://dnncommunity.org/forums if discussions end up to being a bug in the platform please open a new issue with very clear steps and/or code sample to reproduce.

    My response:

    'portal groups' may serve as a work around, but basically it creates security breach. Here are my statements

    • User exists only in one portal and should be authentivated only in this portal
    • If request POST sent to SSO.ashx, request POST should be coming to SSO.ashx regardless, with no precodtition... but it's not working this way: GET coming not POST 

     I think this explanation is straight forward, but let me know if coding details required.

    Veteran Member
    Posts: 543
    Veteran Member
      please be aware that cookies refer to a domain, not a DNN website. if your are having child sites, they will inherit the login cookie, AFAIR.
      New Around Here
      Posts: 2
      New Around Here

        Yes this is correct, cookies refer to a domain and domain is the same for both portals.

        Unfortunately it doesn’t help to resolve the problem.

        Common expectations: if request POST sent to handler URL, request POST should arrive to the handler.

        In reality 2nd, 4th, 6th … requests arrive as GET.

        Only going to technicalities I can see that during 2nd, 4th, 6th … request LOGIN COOKIE destroyed (i.e. logout simulated), error thrown and GET coming to the handler.

        What kind of reasonable explanation can prove that it is not a bug.

        Senior Member
        Posts: 1374
        Senior Member
          ASHX files can be quite dangerous and expose your application to "bad actors" out there. Have you considered using a more service-based or authentication provider approach instead?

          These Forums are dedicated to the discussion of DNN Platform.

          For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

          1. If you have (suspected) security issues, please DO NOT post them in the forums but instead follow the official DNN security policy
          2. No Advertising. This includes the promotion of commercial and non-commercial products or services which are not directly related to DNN.
          3. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
          4. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
          5. No Flaming or Trolling.
          6. No Profanity, Racism, or Prejudice.
          7. Site Moderators have the final word on approving / removing a thread or post or comment.
          8. English language posting only, please.

          Would you like to help us?

          Awesome! Simply post in the forums using the link below and we'll get you started.

          Get Involved