Problem: If a user other than host is logged into a child portal, accessing any ASPX page without a querystring parameter of "tabid" of "alias" causes the user to be logged off. This problem usually becomes apparent when third-party controls such as editors, image galleries, file downloaders refer to ASPX pages from popup dialogs or windows.

Versions affected: DNN 1.0.9, DNN 1.0.10, DNN 2.0.x

Cause: The core portal detection engine relies on the domain from the URL or one of the two querystring parameters to identify the portal. Most of the time, one of these parameters is present, however, when a non-core ASPX page is called this is not always the case. In this situation, the engine incorrectly identifies the portal as the parent portal in the Application_BeginRequest handler. When Application_AuthenticateRequest is fired, the identified portal is different from the authenticated user's portal and so the user is logged out.

Solution: Set a cookie from the child portal's default page called "portalalias" with a value set to the child portal's alias. Add code to Application_BeginRequest to check for and use this cookie if all other tests (tabid, alias, domain name) fail to yield a valid portal.

Fix Tested: DNN 2.0.4

Fix Details: Make the following core changes:

1) Subhost.aspx
Add line:

Response.Cookies("portalalias").Value = DomainName

Immediately *before* line:

DomainName = ServerPath & glbDefaultPage & "?alias=" & DomainName

IMPORTANT: You will need to make this change in the "default.aspx" page of all existing child portals (since default.aspx in child portal folders is created when the portal is created by copying subhost.aspx and renaming to default.aspx)


2) Global.asax.vb (** requires recompile **)
Locate this block of code:

			' TabId uniquely identifies a Portal


			If PortalAlias Is Nothing Then


				If TabId <> 0 Then


					PortalAlias = PortalSettings.GetPortalByTab(TabId, DomainName)


				End If


			End If

... and change it to:

			' TabId or cookie uniquely identifies a Portal


			If PortalAlias Is Nothing Then


				If TabId <> 0 Then


					PortalAlias = PortalSettings.GetPortalByTab(TabId, DomainName)


				Else


					If Not (Request.Cookies("portalalias") Is Nothing) Then


						PortalAlias = Request.Cookies("portalalias").Value


					End If


				End If


			End If

3) Recompile

Side-effect: Until the user closes the browser window, any portal URL that does not contain a querystring of "tabid" or "alias" or a child portal folder in the URL will always take the user to the first child portal they accessed with their browser in that session.

Hi Nik,

I'm still having this problem with 1.0.10 and LeftHandNavi calling non-portal .aspx pages (thread here). I've just gone back to using Solpart Menu for now but I would like to use LeftHandNavi if possible. Any ideas how to fix this with 1.0.10???

Thanks

nice fix Nik...did you post it in the bug tracker on the DotNetNuke site?
bert

Awesome catch. Yes please make sure that is posted.

Wouldn't another fix simply be to require that module builders attach the parents TabId to requests to external in-portal aspxs?

I will post to Aardvaark.

John: Module builders can do the TabId thing, but it's not possible to require that of third-party controls (good example: editors).

Nik

I am wondering if this has been corrected in the new release thsi weekend. Nik did you get a chance to post it in the bug tracker? I logged in and I was tryign to find the issue so I coudl see if it had been updated but was unable to located it....

bert

You know...I don't think I ever got around to logging it. I will do that today.

Nik

Hi Nik,

I upgraded to 2.1.1, and started seeing this problem again. It was working fine before I upgraded. I made the fix again to the global.asax.vb file and recompiled (then copied up to my host), but no luck. Have you seen this?

... As I write this, I wondered if there was something going on with my host (tactical). I used my localhost to do some testing, and it seems to be working properly there. I copied the same .vb file to my host. Can anyone tell me if making a compile change like this requires me to do anything but copy the new file up?

" I copied the same .vb file to my host"

when you recomile the vb files are compiled into the DotNetNuke.dll. The only file you need to copy up is the DotNetNuke.dll

Bert

<redface> I hate when I do that. It works fine now. You'd think I could do that right since I did it just a few weeks ago. It's been one of those weekends.</redface>

Thanks Bert.

Nik, this is a great fix, thank you! I ended up trying a little different approach because I could not gaurantee that our users were going to access child portals using one of the subhost files, and the problem still appeared if they just accessed the portal by tabid.

Here is another Core Hack that seems to be solving this problem for specific files:
(I will use LHNavi as an example below)

1) In your Web.Config under the <appSettings> section, add the following Key:
<add key="Auth-Exclude" value="file1,file2,file3" />

* You would insert the absolute path(s) to the file(s) that you want to exclude from authentication in a comma delim list.

For LHNavi this might look like:
<add key="Auth-Exclude" value="/desktopmodules/leftnavi2/leftnavicss.aspx,/desktopmodules/leftnavi2/navileftJs.aspx" />

2) In the Global.asax.vb file at the top of the file, (above the "Namespace DotNetNuke" line) add the following import:
Imports System.Configuration

3) In the Global.asax.vb file at the bottom of Sub Application_Start add the following lines:
' Added for Auth-Exclude Fix
Application("Auth-Exclude") = ConfigurationSettings.AppSettings("Auth-Exclude").ToString.ToLower()

4) In the Global.asax.vb file at the top of Sub Application_AuthenticateRequest add the following lines:
Dim CurFile As String = HttpContext.Current.Current.Request.Url.AbsolutePath.ToString.ToLower()
If Not (InStr(Application("Auth-Exclude").ToString(), CurFile) > 0) Then

5) In the Global.asax.vb file at the bottom of Sub Application_AuthenticateRequest add the following line:
(place this directly above "End Sub"...)
End If

Recompile... you might need to reset the site so that the cache is cleared and Application_Start is called.

I found that by blocking that section completely for specific files only, then everything seemed to work great.

Thanks again,

Jim Scheitel
Web Developer
Knife River Corporation

One thing to note is you do not need to apply both Nik's fix and my hack, one or the other is sufficient depending on your needs.

Well, Stanley Moss identified that there is still a bug after this fix... I do not think it has to do with the modifications I have outlined above.

In his words:
In a situation where the user is registered, but is only authorized in the first child portal - not in it's siblings or parent:
From child to sibling by alias --> get logged out.
From child to sibling by tabid --> stay logged in for first page view.
From child to parent by domain name --> stay logged in.
From child to parent by tabid --> stay logged in.
</ul>
In each of these cases, the user should be logged out of the destination portal right away.

After researching this a bit, I think this additional change will solve that the above problem:

(see post above for changes 1-5)

6) In the Global.asax.vb file in the Application_AuthenticateRequest find the following code:

                    ' check if user has switched portals


                    If _portalSettings.PortalId <> Int32.Parse(PortalCookie.UserData) Then





                        ' expire cookies if portal has changed


                        Response.Cookies("portalid").Value = Nothing


                        Response.Cookies("portalid").Path = "/"


                        Response.Cookies("portalid").Expires = DateTime.Now.AddYears(-30)





                        Response.Cookies("portalroles").Value = Nothing


                        Response.Cookies("portalroles").Path = "/"


                        Response.Cookies("portalroles").Expires = DateTime.Now.AddYears(-30)





                        ' check if user is valid for new portal


                        Dim objUsers As New UserController


                        Dim objUser As UserInfo = objUsers.GetUser(_portalSettings.PortalId, Int32.Parse(Context.User.Identity.Name))


                        If objUser Is Nothing Then


                            ' log user out


                            FormsAuthentication.SignOut()


                            ' Redirect browser back to home page


                            Response.Redirect(Request.RawUrl, True)


                            Exit Sub


                        End If





                    End If

And Replace it with this code:

                    ' check if user has switched portals


                    If _portalSettings.PortalId <> Int32.Parse(PortalCookie.UserData) Then





                        ' expire cookies if portal has changed


                        Response.Cookies("portalid").Value = Nothing


                        Response.Cookies("portalid").Path = "/"


                        Response.Cookies("portalid").Expires = DateTime.Now.AddYears(-30)





                        Response.Cookies("portalroles").Value = Nothing


                        Response.Cookies("portalroles").Path = "/"


                        Response.Cookies("portalroles").Expires = DateTime.Now.AddYears(-30)





                        ' check if user is valid for new portal


                        Dim objUsers As New UserController


                        Dim objUser As UserInfo = objUsers.GetUser(_portalSettings.PortalId, Int32.Parse(Context.User.Identity.Name))


                        If objUser Is Nothing Then


                            ' log user out


                            FormsAuthentication.SignOut()


                            ' Redirect browser back to home page


                            Response.Redirect(Request.RawUrl, True)


                            Exit Sub


                        Else


                            ' validate user in portal


                            Dim dr As IDataReader


                            dr = DataProvider.Instance().GetPortalUser(_portalSettings.PortalId, objUser.UserID())


                            Dim UserId As Integer = -1


                            If dr.Read Then


                                If Convert.ToBoolean(dr("Authorized")) Then


                                    UserId = Convert.ToInt32(dr("UserId"))


                                End If


                            End If


                            dr.Close()


                            If UserId <> -1 Then


                                ' update last login


                                DataProvider.Instance().UpdatePortalUser(_portalSettings.PortalId, UserId, True, Now)


                            Else


                                ' Log user Out


                                FormsAuthentication.SignOut()


                                ' Redirect browser back to home page


                                Response.Redirect(Request.RawUrl, True)


                            End If


                        End If


                    End If

Recap: In the case where an authenticated user is switching portals, the existing code seemed to be checking whether a userportal record existed, but was not verifying that the user was actually authorized for the destination portal, so we are checking for authorization and if authorized updating the user within the portal, if not we are signing them out and refreshing the page.

There may be an easier/more efficient way to do this process, and I am guessing that accessing the DataProvider.Instance() object probably breaks a design principal or two - if you see a better way of doing this, please let me know, I am still getting up to speed on how all of this works.

Thanks,

Jim Scheitel
Web Developer
Knife River Corporation

I have this trouble in 3.0.13.  Has anyone a fix for 3.0.13?  None of the prior thread fixes apply.

I am seeing this same problem now in 3.1.1!

Was this somehow overlooked when the 3.x build was started?
This is very annoying...