Versions Compared

Version Old Version 2 New Version 3
Changes made by

Catherine Foss

Catherine Foss

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Files and pages that are restricted to users based on permissions are not working as expected. Users are only able to access protected content if they are already logged in to the site.

Update 11/9

The problem has to do with a lack of URL encoding on the DNN side. It's not a problem for Aptify.

Here is what's being used to send the user over right now:

https://www.cda.org/member-login?returnurl=/LinkClick.aspx?fileticket=Ont4-l_m5Bg%3d&portalid=0

You can clearly see that there are TWO query strings in the URL. That is what's confusing things.

If we encode the returnurl value in the query string first - beofre it is encoded again by Aptify - everythingworks:

https://ebusiness.cda.org/ebusiness/login?isCDA=1&ReturnURL1=https%3A%2F%2Fwww.cda.org%2FLinkClick.aspx%3Ffileticket%3DOnt4-l_m5Bg%253d%26amp%3Bportalid%3D0

...

LinkClick.aspx


That's what's making life a little harder, because that's an additional redirect being thrown in the mix. You pass that thing a query string, which gets rolled into the Aptify querystring too.


So you end up with a query string parameter that contains a query string... breaks all but the most clever URL parsing routines


https://www.cda.org/member-login?returnurl=/LinkClick.aspx?fileticket=Ont4-l_m5Bg%3d&portalid=0


"?returnurl=/LinkClick.aspx?fileticket=Ont4-l_m5Bg%3d&portalid=0" is a query string value

"fileticket=Ont4-l_m5Bg%3d&portalid=0" is a query string paremeter INSIDE the other query string parameter

The way to get around it is to double encode the query string that's inside the other query string

So....

https://ebusiness.cda.org/ebusiness/login?isCDA=1&ReturnURL1=https%3A%2F%2Fwww.cda.org%2FLinkClick.aspx%3Ffileticket%3DOnt4-l_m5Bg%253d%26amp%3Bportalid%3D0

You now see there is only one "?" and only one query string. The embedded query string doesn't appear until AFTER it's been decoded at the landing spot

...

10 Lb Analysis: I was reviewing this with Mark and he suspects (based on how the redirects are working) the issue is related to the SSO module (ICPC-TE-SsoXP)…The problem for this access appears to be revolving around the SSO/IDP not honoring the ReturnURL redirect with DNN.

...

We also confirmed that this is happening to files in different folders, so it is not isolated to a specific file or folder, and other internal users have had the same experience so it is not isolated to a specific user.

Screenshare of issue:

https://cdaorg-my.sharepoint.com/:v:/g/personal/catherine_foss_cda_org/EbG3vy3FMr1BoiSR4hObYAABbMQY1kxXCIvZUzLEzgSn8Q

To replicate issue:

  1. Ensure you are logged out of website

  2. Go to this link: https://www.cda.org/Home/Advocacy/Advocacy-Overview/Policy-Resources

  3. Click “CDA Policy Archive” in the right sidebar

...