I've created a simple website in ASP.NET 5 MVC 6.
I have 1 controller with 1 index-method and view.
I need authentication on this with [Authorize]
I have a login-form on a view with an input taking a number. Users can log in if they can answer the right number to a calculation.. I need to check the answer in C#-code.
So basically i want a AuthenticationController with a Login(int answer) where i can check the result and redirect to the index-page. If they try to acces the index-page not logged in, they must be redirected to the login page :)
Possible in a simple way?
Read this Using Cookie Middleware without ASP.NET Core Identity
Related
net mvc 5 application using entity frame work etc and am new to .net c# etc (used to php & sessions)
so i have read allot about using .nets authentication service and that is some how registers a user upon login using FormsAuthentication.SetAuthCookie.
however i need to authenticate a user group for example admin or moderator. and from what i understand this can be achieved and be set using [authenticate(roles="admin")].
but surely if this is using a set cookie a user if they knew how could just change their registered role from user to admin to access restricted content?
so in as simple terms as possible how does .net mvc ensure security in authenticating users? can i use sessions instead of cookies? do i need to create my own authentication system.?
i have searched and read all i can find and most resources just explain how cookies work or how to implement authentication using cookies but very little about sessions.
I'll try to be as concise as possible:
Yes, ASP.NET MVC 5 uses cookies out of the box (if you chose Individual User Accounts in the project wizard)
The authorization of a group or role by means of an [Authorize(Roles="bla")] attribute to decorate controllers and/or controller methods will do just that. It's as if you would be writing
if(!User.IsInRole("bla"))
{
return new HttpUnauthorizedResult();
}
else
{
//here's your ultra-secret View
return View();
}
What if a user changes role while in-session or if he or she has a persistent cookie?
Indeed, you'll need to handle the interval between role change and cookie update.
Read up on it here
Long story short: the design decision is yours whether you think it better to log off a user when re-assigning roles or to make db roundtrips at every authorization check.
Can you use a session variable like in PHP? Sure (the Session object exists), but you shouldn't.
If and when the situation arises where you absolutely NEED to pass some arbitrary data however, there's ViewBag, ViewData and TempData.
I won't go as far as to say, that these constructs are superfluous, they certainly have their use from time to time, but do try and design your application to maximize the use of strongly-typed models, viewmodels and make use of the REST-based url architecture to get or put your data.
I am developing a web site with MVC 5.2 and ASP.NET Identity 2.1. As long as my site is in beta, I want to keep random visitors away from my website.
I am looking for a simple 2-step-protection mechanism:
When I hit the website with my browser the default browser dialog should pop up and ask me for username and password (IIS user credentials). When I enter valid data, my site appears (with it's homepage).
Here I have to login to my application (with application specific credentials).
I enabled Basic Authentication in IIS 8.5 (and disabled Anonymous Authentication), because I was hoping this would bring up the browser dialog (from step 1). But this didn't do the trick. Instead, when I hit the page, the browser returns an error message saying that my request ended in an endless loop. No popup dialog appears. My request is obviously hitting my MVC application already and this tries to redirect me to the login form again and again.
Any ideas?
I just want to keep visitors away with a simple mechanism (does not have to be secure!!). And if possible I don't want to change my MVC code.
Thanks for any help!!
Look at this:
ASP.NET MVC - HTTP Authentication Prompt
You can also use the [Authorize] attribute for your landing actions.
Make sure [AllowAnonymous] action is not used.
I currently have an intranet site that is accessed by external customers. I therefore set this up using Forms Authentication. However the powers that be (my bosses) want all our domain users to not have to enter their username and password to access the site.
I've done a bit or reading and everything seems to point to setting up a WinLogin.aspx page that you alter to use WindowAuthenthication and then redirect from there.
I have a problem with this as I don't like the idea of putting an aspx form in my mvc application.
Can anyone tell me how to achieve mixed authentication using a strictly MVC Controller/Action setup without a second application?
NOTES: running MVC 3 on an IIS 7 box.
Forms Authentication is not related to the URL or physical structure of your files. What matters is that a URL should ultimately map to a physical (or virtual) resource on the server, and be processed, and be returned back to the user.
Thus, somewhere in between for each incoming call (each HTTP request, even those for CSS and JavaScript files), you have to see if the current user has enough permission to access it or not. If no, then you might redirect him to the login page.
If you want, you can have a URL like /user/windowslogin where user is the name of the controller, and windowslogin is the name of your action method. Then you can create a custom authentication attribute (something like [WindowsAuthentication]) on your windowslogin action, and in that attribute (which is an MVC filter in essence), you can see if the current request comes from within your domain, and if so, talk to Active Directory for authentication or stuff like that, and on case of successful authentication, create an authentication cookie using FormsAuthentication class, and the rest of the story.
However, I don't think this would be an easy task. Others might introduce better solutions.
I am testing RSA secureID(Token) to use for security in my asp.net mvc project.
It protects the url that i assigned and it will prompt to insert
UserName and password when we browse that url.
For eg,if we assigned **Http://SamlpleApp/Sales/main.aspx** to protect,
RSA will prompt to set username and password when we browse it.
That one is working properly in normal asp.net projects.
But,i don't know
how to use in my asp.net mvc prj,i want to protect one view,physical
address may be **Http://SampleApp/Views/Sales/Index.aspx** ,but we have to call the
controller index action first and that wil redirect to view in mvc.
So,is it possible
to get physical url of view like "Http://SampleApp/Views/Sales/Index.aspx"
when we browse controller action? I mean i want to get that url when we call
controller action.
Please give me the the right way.
Best Regards,
Indi
It's not possible to go directly to the view. If you look in the web.config file in your Views directory, you will notice it blocks all requests.
If you want to secure a page you have to do it by securing the controller or the action by using the authorize attribute (or implement your own authorisation).
Setup
In my MVC3 app, MembersController is decorated with an [Authorize] attribute.
MembersController has an Action called MyPage. Due to the Authorize attribute on the controller, MyPage can only be requested by authorized users.
Problem
When an unauthorized user tries to request /Members/MyPage they are correctly redirected to the Login page.
However, the ReturnUrl parameter is not passed into the login page, so when the user authenticates, they are taken to the default page (lets call it /Members/Home) instead of /Members/MyPage.
Question
Why?!
In another app, developed in MVC2, the returnUrl QS parameters is there and works as expected.
Other Issues:
The Autorize attribute is being ignored when decorating both controllers and actions.
Resolution:
Sections of web.config not properly updated between .NET 3.5 and .NET 4. See answers below.
#Marcind put me on the right track, #Darin Dimitrov's answer very instructive of the process involved.
Diagnosis
It seems that the issue was related to a web.config that I did not update properly when merging an existing Web Forms .NET 3.5 app to a .NET 4.0 app. I can't recall how I went about this.
Anyway, by comparing the web.config of my app with a new MVC 3 web.config, I was able to find the extra bits that should not have been there, left over from 3.5 days.
Resolution:
The issue was resolved by correcting the bits in the <authentication><forms> tag in the web.config, as well as the <membership> tag.
Other Issues Caused by this:
Another issue caused by this was the fact that if I decorated a controller with the Authorize attribute, it was ignored, so the controller tried to process info based on the current user, that obviously was null, so all manner of exceptions were fired.
It works for me. I created a new project using the ASP.NET MVC 3 RC2, default template, added a MembersController, decorated it with the [Authorize] attribute, run the application, requested /members/index, was redirected to /Account/LogOn?ReturnUrl=%2fmembers%2findex, logged in, was redirected to /members/index. There must be something else wrong with your code.
Here's how it works:
The [Authorize] attribute checks if the user is authenticated and if it is not it returns 401 status code.
The FormsAuthenticationModule which is part of ASP.NET and handles forms authentication intercepts the 401 status code and redirects to the login page by appending the ReturnUrl parameter to the request which points to the initial request.
The FormsAuthenticationModule module is not specific to ASP.NET MVC, this is standard ASP.NET stuff