How does redirect to returnUrl work in Asp.Net MVC5

Question

I\'ve started a new MVC 5 site, using the new Asp.Net Identity with Owin. In my \"account\" controller which has the attribute [Authorize], I have fairly standard actions;

Answer 1

To answer your first question on how the redirect Url is setup, it configured in Startup.Auth.cs which is called from Startup.cs and is marked with an attribute which is probably looked for by the OWIN framework on app startup and both files partial extend a Startup class.

In Startup.Auth.cs there's a class to configure authentication options and usually has the following code

public partial class Startup
{
    // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
    public void ConfigureAuth(IAppBuilder app)
    {
        // Enable the application to use a cookie to store information for the signed in user
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login"),
            CookieSecure = CookieSecureOption.Always
        });
        // Use a cookie to temporarily store information about a user logging in with a third party login provider
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        // ....
        // I deleted code which is commented out if you selected "Individual accounts" 
        // if you created the site project using the VS 2013 wizard
        // ...
    }
}

I added the CookieSecure option to ensure cookies were signed and that is recommended as a good security practice, other than that its boiler plate code.

More documentation on CookieAuthenticationOptions if you want it.

Answer 2

       if (Url.IsLocalUrl(returnUrl))
        {
            return Redirect(returnUrl);
        }
        else
        {
            return RedirectToAction("Index", "Controller");
        }

Answer 3

As Sandeep Phadke told, the returnUrl Parameter is filled, because of configuration in startup.Auth.cs.

The CookieAuthenticationOptions has a property ReturnUrlParameter which is by Default set to "returnUrl". That is the reason, why it looks like magic. You can Change it to whatever you want:

app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login"),
        ReturnUrlParameter = "returnTo"
    });

Then you can Change the AccountController Login-Action to:

[AllowAnonymous]
    public ActionResult Login(string returnTo)
    {
        ViewBag.ReturnUrl = returnTo;
        return View();
    } 

Answer 4

You need to check if the url is local indeed using this method (it is not handled by the framework automatically): http://msdn.microsoft.com/en-us/library/system.web.mvc.urlhelper.islocalurl%28v=vs.118%29.aspx

if (!string.IsNullOrEmpty(returnUrl) && Url.IsLocalUrl(returnUrl))
{
  return Redirect(returnUrl);
}