Forms authentication in web.config

Question

I am using MVC3 and have put the user authentication in the web.config file. This is to bypass sqlserver authentication.

code as below in web.config:

<         


        

Answer 1

If you examine standard ASP.NET MVC 3 AccountController.cs and AccountModels.cs files you'll learn what MembershipProvider.ValidateUser method is used internally (via Membership.Provider). If you want to store password in web.config you should use FormsAuthentication.Authenticate method instead.

For example:

public class AuthorizationController : Controller
{
    public ActionResult LogOn()
    {
        return View("LogOn");
    }

    [AcceptVerbs(HttpVerbs.Post)]
    public ActionResult LogOn(string userName, string password, 
        bool rememberMe, string returnUrl)
    {
        if (!ValidateLogOn(userName, password))
            return View("LogOn");

        FormsAuthentication.SetAuthCookie(userName, rememberMe);

        if (!string.IsNullOrEmpty(returnUrl))
            return Redirect(returnUrl);
        else
            return RedirectToAction("Index", "News");

    }

    private bool ValidateLogOn(string userName, string password)
    {
        if (string.IsNullOrEmpty(userName))
            ModelState.AddModelError("username", "User name required");

        if (string.IsNullOrEmpty(password))
            ModelState.AddModelError("password", "Password required");

        if (ModelState.IsValid && !FormsAuthentication.
            Authenticate(userName, password))
            ModelState.AddModelError("_FORM", "Wrong user name or password");

        return ModelState.IsValid;
    }

    public RedirectToRouteResult LogOff()
    {
        FormsAuthentication.SignOut();

        return RedirectToAction("LogOn");
    }
}