stackoom
  简体   繁体   中英

ASP.NET MVC5 Authenication on login

 原文  2017-06-27 14:31:13       c#/ asp.net/ model-view-controller/ web-applications/ authorization

Question

I am trying to setup the Login authentication for a new enterprise site, I am trying to run the user login from my server's database (rather than the build in azure stuff.

I use the [Authorize] Header in my Controllers 

public class HomeController : Controller
        {
            [Authorize]
            public ActionResult Index()
            {
                return View();
            }
        }

This is my Startup.cs: 

public void ConfigureAuth(IAppBuilder app)
{
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Login/Index")
    });

Then in my Login Controller where I setup the AuthCookie: 

[HttpGet]
[AllowAnonymous]
public ActionResult Index(string Error)
{
    return View();
}

[HttpPost]
[AllowAnonymous]
public ActionResult Index(string userID, string password)
{
    if(CheckUserCredentialsAgainstDB(userID, password))
    {
        FormsAuthentication.SetAuthCookie(userID, true);
    }
}

When I run the The application and log in, I have the .ASPAUTH cookie in my browser, but when I attempt to access an action with the [Authorize] tag it sends me straight back to the Login Page, what am I missing here?

There are similiar questions to this such as Persistent AuthCookie is set but being redirected to login , however none of the answers have helped in my scenario.

1 answers

solution1
 0 ACCPTED  2017-06-27 15:50:12

Forms Authentication is a different thing than OWIN default cookies auth.

Your login method should rely on the IAuthenticationManager exposed by OwinContext to sign in the user correctly: 

[HttpPost]
[AllowAnonymous]
public ActionResult Index(string userID, string password)
{
    if(CheckUserCredentialsAgainstDB(userID, password))
    {
        var claims = new Claim[]
        {
            new Claim(ClaimTypes.NameIdentifier, userID),
            new Claim(ClaimTypes.Role, "therole")
        };
        var identity = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie); // create a new user identity

        var auth = Request.GetOwinContext().Authentication;
        auth.SignIn(new AuthenticationProperties
        {
            IsPersistent = false // set to true if you want `remember me` feature
        }, identity);

        // redirect the user somewhere
    }

    // notify the user of failure
}

Side notes

Do not use multiple parameters in POST methods, especially when posting sensitive data like login information.

Basic parameters are usually transmitted inside the query string, and they will be visible by anyone by just looking at the URL (this means also inside server logs).

Instead, use a simple View Model to obtain the same result: 

public class LoginViewModel
{
    public string UserId { get; set; }
    public string Password { get; set; }
}

// ...

[HttpPost]
[AllowAnonymous]
public ActionResult Index(LoginViewModel model)
{
    if(CheckUserCredentialsAgainstDB(model.UserId, model.Password))
    {
        // ...
    }

    // ...
 }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ASP.NET MVC5 Login & Chat Simple Login with ASP.Net MVC5 encrypting username in asp.net mvc5 login Using Custom Login for forms authentication in asp.net mvc5 asp.net mvc5 login with redmine authentication Login Attempt in ASp.net Identity MVC5 I am failing to authenticate users on login in asp.net mvc5 using asp.net identity Asp.net MVC5 with Angular 2 configuration Display PageList in ASP.NET MVC5 query in Asp.net mvc5
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM