Prevent misleading status pages from being shown #1580
Labels
Comments
|
Maybe the two problems can be solved in different ways:
|
|
These probably shouldn't be redirect -> 200 at all. If you fail to log in too many times in a row, we should return a 4xx from the login POST itself that says you're locked out. Similarly, if you can't access a specific page, we should return a 4xx for the GET to that URL, with no redirection involved, that shows the access denied message. This was how it worked in days of yore, and the correct status codes plus no extraneous redirects matches what browsers are expecting to see when it comes to things like network cache, bfcache, and reloads, so the browser will give the right behavior. |
|
a quick fix would be to null out the returnUrl before directing them to problematic pages |
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Quick example: Currently we use the default settings, so that if you try to log in but enter your password incorrectly 5 times, you're locked out for 5 minutes. You get redirected to this page:
https://tasvideos.org/Account/Lockout
If you then wait some time and click "Log in" on the top right, you will go to this page:
https://tasvideos.org/Account/Login?returnUrl=%2FAccount%2FLockout
Notice the
returnUrl!A successful login will redirect you to the Lockout page, even though you logged in.
Something similar happens if you try to access a page while logged out, you're redirected to the AccessDenied page. Then you log in and you're redirected to the AccessDenied page yet again, even if you now have the permission to the previous page. (The information about the previous page is even completely lost now.)
The text was updated successfully, but these errors were encountered: