Developer forum

Forum » CMS - Standard features » How to Prevent Browser Caching of 302 Redirect After Failed AD Login Attempt?

How to Prevent Browser Caching of 302 Redirect After Failed AD Login Attempt?

E-mail notifications
Nikolaj Skovmose
Reply
Posted on 22/05/2024 10:30:13

Hello,

We've integrated AD authentication into our frontend application. The authentication workflow generally functions as intended. However, we've encountered an issue when a user initiates a login but fails due to not being part of the allowed AD domain.

Specifically, when the user clicks the login button, they are redirected to the AD login page as expected. If the login fails (e.g., the user is not part of the permitted AD domain), the browser seems to cache this 302 redirect. As a result, on subsequent attempts to access our website, the user is automatically redirected back to the AD login page, with no option to navigate back to the main website.

We're looking for a way to prevent the browser from caching this 302 redirect to allow users to return to the main site after a failed login attempt. Does anyone have suggestions on how to manage or configure these redirects to avoid caching, or any other solutions to this problem?

Thank you in advance for your help!


Replies

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 22/05/2024 14:00:42
Reply

Hi Nikolaj

Usually a 302 is a temporary redirect and not cached by the browser - so I wonder how you have ended there. We also send out 'expires -1' headers for 301s in most places to avoid browser caching despite 301 is permanent - but we have learned that most want a permanent redirect that is temporary :-).

I am thinking you can use web.config and add custom headers to the path handling the external login providers (/admin/public/Social).

Or directly in IIS:

 
Nikolaj Skovmose
Posted on 22/05/2024 14:14:48
Reply

We've tried that allready with no luck. The redirect is sending us to the AD login page "https://login.microsoftonline.com/" when ever we try to acces our site staging.vibocold.dk after trying to login with any user not in the AD domain, we get redirect to the AD login page.

If you want to see it, you can try going to staging.vibocold.dk and press the login in top right and then in the bottom of the login slide-in there is a Login as employee

 
Nikolaj Skovmose
Posted on 22/05/2024 14:25:37
Reply

We've tried that allready with no luck. The redirect is sending us to the AD login page "https://login.microsoftonline.com/" when ever we try to acces our site staging.vibocold.dk after trying to login with any user not in the AD domain, we get redirect to the AD login page.

If you want to see it, you can try going to staging.vibocold.dk and press the login in top right and then in the bottom of the login slide-in there is a Login as employee

 
Nikolaj Skovmose
Posted on 22/05/2024 15:11:28
Reply

More info
Azure setup

DW setup

 
Nicolai Pedersen Dynamicweb Employee
Nicolai Pedersen
Posted on 23/05/2024 16:42:46
Reply

Hi Nikolaj

I have looked into it and it is not browser cache that is causing this. DW sets a cookie, DW_ExtranetSessionCookie.DWExternalLoginProviderId when you start external authentication - no matter if it goes well or not. So DW expects you to login once you have chosen that option.

There is no easy fix.

You can remove or reset the DW_ExtranetSessionCookie if a user is not logged in - you can do that using a notification subscriber - something like below:

using Dynamicweb;
using Dynamicweb.Environment;
using Dynamicweb.Security.UserManagement;
using System;

namespace Dynamicweb.Examples.Notifications.Standard
{
    [Dynamicweb.Extensibility.Notifications.Subscribe(Dynamicweb.Notifications.Standard.Application.BeforeBeginRequest)]
    public class BeginRequestObserver : Dynamicweb.Extensibility.Notifications.NotificationSubscriber
    {
        public override void OnNotify(string notification, Dynamicweb.Extensibility.Notifications.NotificationArgs args)
        {
            if (args == null)
                return;

            if (!(args is Dynamicweb.Notifications.Standard.Application.BeforeBeginRequestArgs))
                return;

            Dynamicweb.Notifications.Standard.Application.BeforeBeginRequestArgs item = (Dynamicweb.Notifications.Standard.Application.BeforeBeginRequestArgs)args;

            if (!User.IsFrontendUserLoggedIn())
            {
                Cookie cookie = CookieManager.GetCookie("DW_ExtranetSessionCookie");
                bool isNewCookie = cookie is null;

                cookie = new Cookie("DW_ExtranetSessionCookie");
                cookie.Expires = DateTime.Now.AddDays(-100);
                cookie.HttpOnly = true;
                cookie["DWExternalLoginProviderId"] = null;

                if (isNewCookie)
                {
                    CookieManager.SetCookie(cookie);
                }
                else
                {
                    CookieManager.UpdateCookie(cookie);
                }

            }
        }
    }
}

 

You must be logged in to post in the forum