Incorrect redirect URL in Production

Question

I use ASP .NET CORE 2. I use this code in Startup.cs

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options => 
{
    options.LoginPath = new PathString("/Account/Login");
    options.AccessDeniedPath = new PathString(/Account/AccessDenied);

    options.ExpireTimeSpan = TimeSpan.FromMinutes(3 * 60 + 1);
});

I am not login so my website redirects to

https://localhost/Account/Login?ReturnUrl=%252Fbbb.

It works in development. I get the URL

https://aaaaa.com/?ReturnUrl=%252Fbbb in production.

How to fix it? I searched Google but was unable to find anything.

What is the `Production` environment? Did you host in IIS? How did you publish to `Production` environment? — Edward, Jul 23 '18 at 02:41
I host in UBUNTU with Apache webserver by using proxy. I build and publish in Release mode under Linux for Production. — yW0K5o, Jul 23 '18 at 04:38
Have you follow [Host ASP.NET Core on Linux with Nginx](https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-nginx?view=aspnetcore-2.1&tabs=aspnetcore2x) to configure your `UBuntu`? For forwarding request, did you add `app.UseForwardedHeaders` on after `error handing` as this document indicates? — Edward, Jul 23 '18 at 06:08
Maybe hook into [OnRedirectToLogin](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.cookies.cookieauthenticationevents.onredirecttologin) event to confirm the redirect url. — Mark G, Jul 23 '18 at 06:11
@Edward I have all headers set correctly as described in the Microsoft article. — yW0K5o, Jul 23 '18 at 21:56
When I pushed the code with 401 status to Production I get a million of redirects. — yW0K5o, Jul 24 '18 at 01:34
I suggest you try to create a middleware to log the request URL, and check which is the previous URL before `https://aaaaa.com/?ReturnUrl=%252Fbbb`. I assume there is something wrong while logining process. Maybe `stdoutLogEnabled` in web.config will be enough. — Edward, Jul 24 '18 at 01:42
@yW0K5o The link was to demonstrate using the event not for setting `StatusCode`, you should instead see what `RedirectUri` is set to. — Mark G, Jul 24 '18 at 03:31
I added log4net logging but nothing was written into the log file.`options.Events.OnRedirectToLogin = context => { LogManager.GetLogger(typeof(object)).Info("OnRedirectToLogin->RedirectUri: " + context.RedirectUri); return Task.CompletedTask; };` — yW0K5o, Jul 26 '18 at 01:18
@MarkG I used `services.ConfigureApplicationCookie` and logging is working. I received the log message with the correct redirect: `https://aaaaa.com/Account/Logon?ReturnUrl=%252Fbbb`. I shall try to verify Apache logs. — yW0K5o, Jul 26 '18 at 23:24

score 0 · Accepted Answer · answered Jul 27 '18 at 00:12

My Apache proxy file 000-default.conf

<VirtualHost *:80>
    ServerName aaaaa.com

    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/ [R,L]
</VirtualHost>
<VirtualHost *:443>
    ProxyPreserveHost On
    ProxyPass "/" "http://localhost:5000/"
    ProxyPassReverse "/" "http://localhost:5000/"
    ErrorLog /var/log/httpd/aaaaa-error.log
    CustomLog /var/log/httpd/aaaaa-access.log common
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4
    SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>

The code in Startup.cs

services.ConfigureApplicationCookie(options =>
{
    options.LoginPath = new PathString("/Account/Login");
    options.AccessDeniedPath = new PathString(/Account/AccessDenied);

    options.Events.OnRedirectToLogin = context =>
    {
        LogManager.GetLogger(this.GetType()).Info("OnRedirectToLogin->RedirectUri: " + context.RedirectUri);

 #if DEBUG
        context.Response.Redirect(context.RedirectUri);
 #else
        string strURL = context.RedirectUri.ToLower();

        if (strURL.StartsWith("http://"))
        {
            strURL = strURL.Replace("http://", "https://", StringComparison.CurrentCultureIgnoreCase);
        }

        context.Response.Redirect(strURL);
#endif
        return Task.CompletedTask;
    };

});

Logging shows HTTP protocol http://aaaaa.com/Account/Logon?ReturnUrl=%252Fbbb and then Apache redirect to HTTPS while cutting Account/Logon from URL.

Solution is simple replace HTTP with HTTPS so Apache won't redirects.

Edward and MarkG, I appreciate your hints!

Incorrect redirect URL in Production

1 Answers1