2

I'm pretty new to asp.net and mvc so am trying to learn as much as I can... to do this I'm writing a blog site from scratch but I've got a bit stuck with authentication and authorization.

As I'm leaning I don't really want to use any scaffolding stuff and I'm going database first so don't want asp.net identity creating tables for me.

I'm cool with hashing and salting passwords and checking the user against the database, the bit I'm having trouble with is setting the user as logged in and checking what they should be able to access. I really would like to use the authorize attribute but if it's better not to that's fine, I'm open to all advice. Could you guys explain (or suggest a tutorial for) the following;

  1. set the user logged in (maybe formsauthentication.setauthcookie is this still good??)
  2. add the roles for the user to that cookie (or something along those lines)
  3. Don't leave my app horrific insecure.
  4. let me use [Authorize(roles="dudes, otherdudes")]

Simple?

So far all of my research seems to have sent me along lines of using asp.net identity or stuff to do with owin and talking to external authentication providers which I don't want to do.

I'm trying to learn and understand what is going on, not too deep, just more "this bit sets the cookie(sessions??)", "that bit adds the roles" etc

If I'm completely off target here some gentle directions would be appreciated.

Many thanks for your help.

Best regards, Jon

Improve this question

1 Answer 1

Reset to default
5

So you need to implement your own user management system in your MVC application instead of using the Membership Provider.

When the user logs in, you can set the relevant user data (a custom AuthKey or something, plus the user's roles/permissions) in a Session variable, after getting it from the database. Now, when the user tries to access a URL or perfom an action, you just need to check whether the user is logged in and whether or not he has the permission to do so. This logic can be implemented in a custom action filter, which you can create by deriving from ActionFilter (or implementing IActionFilter) and overriding the OnActionExecuting method.

However, make sure you implement IActionFilter and not IAuthorizationFilter, since you are using your custom authorization logic.

Now, you can use this action filter on all your controllers except the Login controller, to prevent the user from performing an operation he is not allowed to.

Here is a tutorial on Action Filters.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Ahh ok cool, so instead of using [Authorise] I should check the username and password, stick the user and the roles in a session variable and then create my own Action filter, somthing like [JonAuthorise] to do the checking of those variables and redirect if not allowed?
@JonMoore Yes. That way, you can customize as much as you want. Store whatever data you need in the Session variable, and encrypt it in whatever way you want, and check for whichever condition you want in the action filter. No constraints. And pretty simple and manageable and easy to understand.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.