Why Url.IsLocalUrl is false for local URLs in ASP.NET MVC?
Mission:
To prevent open redirection in an ASP.NET MVC 5 application
The story:
The user is on some webpage of website /, say overview page /Home/Overview and clicks login
After login, the server returns some top-secret user specific data and redirects to the same page from where the user initiated login request.
I need to make sure that the server do not stupidly redirect to a hacker's website after login and also pass top-secret user specific data.
The values of
_Controller.Request.UrlReferrer_Controller.Request.UrlReferrer.AbsoluteUri_Controller.Request.Url.AbsoluteUri_Controller.Url.IsLocalUrl(returnUrl)
respectively are:
{https://localhost:44300/Home/Overview}"https://localhost:44300/Home/Overview""https://localhost:44300/Account/Login?returnUrl=%2FHome%2FOverview"false
The value of Url.IsLocalUrl is false which is logically wrong.
In such case, how do I make sure that the user get safely redirected to /Home/Overview and not http://blackHatHackerWebsite.com after successful login?
Why Url.IsLocalUrl is false for local URLs in ASP.NET MVC?
Answer
Url.IsLocalUrl("/Home/Overview") is definitely true. You get false because it's evaluating Url.IsLocalUrl("%2fHome%2fOverview"). That is, you returnUrl is url encoded twice. Try to find where you have an unnecessary encode.