ASP.NET MVC and Login Authentication

Question

I have searched many posts here regarding custom user authentication but none have addressed all of my concerns

I am new to ASP.NET MVC and have used traditional ASP.NET

Answer 1

Code:

using Microsoft.AspNet.Identity;


if (Request.IsAuthenticated)
{
    return View();
}

Answer 2

You can write your authentication service by yourself. Here is a short story:

Your user model class(i.e.)

public class User
    {
        public int UserId { get; set; }
        public string Name { get; set; }
        public string Username { get; set; }
        public string Password { get; set; }
        public string Email { get; set; }
        public bool IsAdmin { get; set; }
    }

Your Context class(i.e.)

public class Context : DbContext
{
    public Context()
    {
        base.Configuration.LazyLoadingEnabled = false;
    }
    protected override void OnModelCreating(DbModelBuilder modelBuilder)
    {
        Database.SetInitializer<Context>(null);
        base.OnModelCreating(modelBuilder);
        modelBuilder.Conventions.Remove<PluralizingTableNameConvention>();
    }
    public DbSet<User> Users { get; set; }
}

Your user repository class(i.e.)

 public class UserRepository
    {
        Context context = new Context();       
        public User GetByUsernameAndPassword(User user)
        {
            return context.Users.Where(u => u.Username==user.Username & u.Password==user.Password).FirstOrDefault();
        }
    }

And your user application class(i.e.)

public class UserApplication
    {
        UserRepository userRepo = new UserRepository();     
        public User GetByUsernameAndPassword(User user)
        {
            return userRepo.GetByUsernameAndPassword(user);
        }
    }

Here is your account controller(i.e.)

public class AccountController : Controller
    {
        UserApplication userApp = new UserApplication();
        SessionContext context = new SessionContext();

        public ActionResult Login()
        {
            return View();
        }
        [HttpPost]
        public ActionResult Login(User user)
        {
            var authenticatedUser = userApp.GetByUsernameAndPassword(user);
            if (authenticatedUser != null)
            {
                context.SetAuthenticationToken(authenticatedUser.UserId.ToString(),false, authenticatedUser);
                return RedirectToAction("Index", "Home");
            }
           
            return View();
        }

        public ActionResult Logout()
        {
            FormsAuthentication.SignOut();
            return RedirectToAction("Index", "Home");
        }

And your SessionContext class(i.e.)

public class SessionContext
    {
        public void SetAuthenticationToken(string name, bool isPersistant, User userData)
        {
            string data = null;
            if (userData != null)
                data = new JavaScriptSerializer().Serialize(userData);

            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, name, DateTime.Now, DateTime.Now.AddYears(1), isPersistant, userData.UserId.ToString());

            string cookieData = FormsAuthentication.Encrypt(ticket);
            HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, cookieData)
            {
                HttpOnly = true,
                Expires = ticket.Expiration
            };

            HttpContext.Current.Response.Cookies.Add(cookie);
        }

        public User GetUserData()
        {
            User userData = null;

            try
            {
                HttpCookie cookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
                if (cookie != null)
                {
                    FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value);

                    userData = new JavaScriptSerializer().Deserialize(ticket.UserData, typeof(User)) as User;
                }
            }
            catch (Exception ex)
            {
            }

            return userData;
        }
    }

And finally add the following tag to your <system.web> tag in web.config file:

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>

And now you just need to insert [Authorize] attribute on the head of each controller that needs authentication.like this:

[Authorize]
public class ClassController : Controller
{
   ...
}

Answer 3

Given your comments regarding tutorials, please see the asp.net/mvc learning section on security.

In particular, this tutorial on creating a secure ASP.NET MVC 5 web app with log in, email confirmation and password reset.

Answer 4

1-Add This Code To WebConfig

<system.web>

       <authentication mode="Forms">
       <forms loginUrl="/Log/Login" timeout="20"></forms>
       </authentication>

</system.web>

2-To Action Use This code

[HttpPost]
public async Task<ActionResult> Login(string UserName,string Password)
{
    var q = await userpro.Login(UserName, Password);
    if (q.Resalt)
    {

        //Add User To Cookie
        Response.Cookies.Add(FormsAuthentication.GetAuthCookie(UserName, false));

        return RedirectToAction("ShowUsers", "User");
    }
    else
    {
        ViewBag.Message = q.Message;
        return View();
    }

}

3-You Should Add This Attribute To Your Action [Authorize]

4-To This Code You Can Get UserName In Cookie

public async Task<ActionResult> ShowUsers(int Page = 0)
{
    string UserName= User.Identity.Name;
    return View(await user.GetAllUser(Page));
}