3
Vote

Blank page instead of login screen (returnUrl not handled by ASP framework)

description

In situation of login timeout, users often are presented with a blank page.
One way to reproduce:
1) Log in the default Orchard site, provided with the installation.
2) Normally, the presented web page should show some 'edit' buttons. Do nothing.
3) Continue doing nothing, until the login times-out. (Or alternatively, logout in an other window).
4) Press the 'edit' button.
5) You get a blank page.
Expected behavior:
The login page is displayed.
As an extra, after the login, user returns to where they were before the authorization failure.

I did a bit of debugging, and found out that when authorization fails (because of timeout or any other reasons), the ASP framework does a 302, redirecting to the loginurl, as defined in the Web.config.
<forms loginUrl="~/Users/Account/AccessDenied" timeout="2880"/>
So far so good. That works fine for most of the pages of my Orchard site.

However, if the requested url (that leads to an authorization failure) contains the ReturnUrl parameter, the ASP framework does not emit a 302, but keeps it as 401. That 401 ends up displayed as a white page in the web browser. As far as I observed, the framework is only doing this with ReturnURL parameter. Other parameters do not affect on behavior, a 302 is emitted in all other cases.

For example, this url will return a blank page (if authorization fails):
http://localhost:30320/OrchardLocal/Admin/Widgets/EditWidget/11?ReturnUrl=%2FOrchardLocal%2F and this url will generate a 302, users will be asked to login: http://localhost:30320/OrchardLocal/Admin/Widgets/EditWidget/11 One solution to this problem would be to rename all the ReturnUrl in Orchard code to something else, but that seems to require changing each and every controllers, which I presume is not really an option.
Another solution would be to catch the 401 in the endrequest of the global.asax. Seems to be a better option, but I do fear some side effects.

comments

hkui wrote Oct 1, 2013 at 12:24 PM

We were having a problem similar to this:

We have a page on the site frontend, which contains a link to /Admin/Contents/Create/Vacancy.

If the user is not logged in and clicks this link, he will be redirected to: /Users/Account/AccessDenied?ReturnUrl=%2fAdmin%2fContents%2fCreate%2fVacancy

Now we have this other requirement: The user should be redirected, after creating the vacancy, to the page he came from. In this case, the page would be /home

To do this, we supplied the ReturnUrl-parameter to the create vacancy link:
/Admin/Contents/Create/Vacancy?ReturnUrl=/home

When the user is logged in, he will go the the create vacancy link, he can create his vacancy and when he's done, he will be redirected back to /home.

HOWEVER, when the user is NOT logged in and clicks the link, he will see a blank page. The page has a status code of 401. It seems this response should have been handled by ASP.NET MVC and that we should see the user being redirected to the logon form with a return URL of /Admin/Contents/Create/Vacancy?ReturnUrl=/home. So that, after logged in, he will be redirected to this URL and after creating the vacancy, he will be redirected to /home.

However, we do get a blank page.

This might be a bug(?) in ASP.NET MVC or in Orchard. We couldn't find anything pointing us to the location of the problem. But we believe it's easily reproducable using the information I just typed here.

manudea wrote Feb 26 at 8:50 PM

Same issue if you are authenticated and you change the machine key on server...