I'm working on an ASP.NET MVC5 web app. Say a user's session times out and they must go to a login screen to authenticate again, then be redirected back to the URL they came from. Is it good practice to put the return (callback) URL in the query string of the login URL?
Does anybody know about the PCI compliance for this? I remember going through PCI training and they mentioned callback URLs, but I can't remember if this follows compliance or not. If not, is there a more secured way in ASP.NET MVC to pass a callback URL? I'm currently not using any Auth/Auth libraries, just doing all authentication by hand using cookie management...
Thanks in advance!
Like any other piece of code, it can be or not PCI compliant depending if is implemented properly / securely.
For example:
private ActionResult RedirectReturnUrl(string returnUrl)
{
return Redirect(returnUrl);
}
If you use the above piece of code to redirect to the returnUrl in the query string, you'll be vulnerable to open redirection attacks.
However, you can make this secure if you ensure the returnUrl is local to the current host:
private ActionResult RedirectToLocal(string returnUrl)
{
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
return RedirectToAction("Index", "Home");
}
See this for more details