I made a functionality that prevents multiple-login for one username at the same time and I call it in Actions like this:
int userId = (int)WebSecurity.CurrentUserId;
if ((this.Session.SessionID != dba.getSessionId(userId)) || dba.getSessionId(userId) == null)
{
WebSecurity.Logout();
return RedirectToAction("Index", "Home");
}
So the point is that every time user logins I save his sessionID into database field. So if someone with same username logins over someone already logged in with same username it overwrites that database field with this new session. If sessionID in DB is not the same as current session ID of logined user it log him out.
Is there a possibility to put this part of code in 1 place or do I have to put it in every single Action in my application?
I tried in Global.asax:
void Application_BeginRequest(object sender, EventArgs e)
{
if (Session["ID"] != null)
{
int userId = Convert.ToInt32(Session["ID"]);
if ((this.Session.SessionID != db.getSessionId(userId)) || db.getSessionId(userId) == null)
{
WebSecurity.Logout();
}
}
}
But I can't use Session here nor WebSecurity class if I try like this:
void Application_BeginRequest(object sender, EventArgs e)
{
int userId = (int)WebSecurity.CurrentUserId;
if ((this.Session.SessionID != db.getSessionId(userId)) || db.getSessionId(userId) == null)
{
WebSecurity.Logout();
Response.RedirectToRoute("Default");
}
}
because I get null reference exception.
EDIT
I used this:
void IActionFilter.OnActionExecuting(ActionExecutingContext filterContext)
{
int userId = (int)WebSecurity.CurrentUserId;
using (var db = new UsersContext())
{
string s = db.getSessionId(userId);
if ((filterContext.HttpContext.Session.SessionID != db.getSessionId(userId)) || db.getSessionId(userId) == null)
{
WebSecurity.Logout();
filterContext.Result = new RedirectResult("/Home/Index");
}
}
}
I had to use using statement for context, otherwise db.getSessionId(userId) was returning old sessionId. Method is this:
public string getSessionId(int userId)
{
string s = "";
var get = this.UserProfiles.Single(x => x.UserId == userId);
s = get.SessionId;
return s;
}
Very strange, will have to read about why that happened.
Everything works fine, except one thing. I have one JsonResult action in a controller, which returns Json, but since event(its textbox on enter event) can't trigger POST(I assume it's because it logs out before) redirect doesn't work. It can't even post to that Json action to receive callback and redirect. Any clues on that?
success: function (data) {
if (data.messageSaved) {
//data received - OK!
}
else {
// in case data was not received, something went wrong redirect out
window.location.href = urlhome;
}
}
Before I used ActionFilterAttribute I used code to check different sessions inside of POST and of course it could make callback and therefore redirect if didn't receive the data.. But now since it can't even POST and go into method it just stucks there and doesn't redirect :)
I would derive from AuthorizeAttribute. No need to check this information if you don't need to authorize the request.
public class SingleLoginAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool isAuthorized = base.AuthorizeCore(httpContext);
if (isAuthorized)
{
int userId = (int)WebSecurity.CurrentUserId;
if ((filterContext.HttpContext.Session.SessionID != dba.getSessionId(userId))
|| dba.getSessionId(userId) == null)
{
WebSecurity.Logout();
isAuthorized = false;
filterContext.Result = new RedirectResult("/Home/Index");
}
}
return isAuthorized;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
filterContext.Result = new JsonResult()
{
Data = FormsAuthentication.LoginUrl,
JsonRequestBehavior = JsonRequestBehavior.AllowGet
};
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
}
I'd also mention that this allows you to short circuit other ActionFilters because they run after OnAuthorization.
Forward Order - OnAuthorization : AuthorizationFilter (Scope Controller)
Forward Order - OnActionExecuting : ActionFilter1 (Scope Global)
Forward Order - OnActionExecuting : ActionFilter2 (Scope Controller)
Forward Order - OnActionExecuting : ActionFilter3 (Scope Action)
Then as Rob Lyndon mentioned, you could in the FilterConfig (MVC4)
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new SingleLoginAuthorizeAttribute());
}
}
Then when you don't want to require any authorization, you can use the AllowAnonymouseAttribute on your ActionResult methods or Controller Class to allow anonymous access.
Update
I added a way for your ajax calls (Get or Post) to work with timeouts. You can do something like:
success: function (jsonResult)
{
if (jsonResult.indexOf('http') == 0)
{
window.location = jsonResult;
}
// do other stuff with the Ajax Result
}
This isn't exactly the best way, but if you want more information on how to do this better I would ask another question instead of appending more questions on this one.
The ActionFilterAttribute is the way to go.
We created an Action Filter called SeatCheck and decorate each controller like this:
[SeatCheck]
public class NoteController : BaseController
{
We use that to get a count of seats and other functions, but it makes it so much easier to control everywhere without thinking about it.
In the proejct ActionFilters folder we have the SeatCheck.cs file that looks like this:
namespace site.ActionFilters
{
public class SeatCheckAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
You can get the SessionID in the Action Filter like this
filterContext.HttpContext.Session.SessionID
Create a custom action filter, and put that code in the filter, then apply the filter to your controller.
Yes, indeed there is. You can use an attribute derived from ActionFilterAttribute.
I would write a class called SessionSecurityAttribute:
public class SessionSecurityAttribute : ActionFilterAttribute
{
public MyDbConn MyDbConn { get; set; }
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var session = filterContext.RequestContext.HttpContext.Session;
if (session["ID"] != null && WebSecurity.IsAuthenticated)
{
int userId = Convert.ToInt32(session["ID"]);
if ((sessionID != MyDbConn.getSessionId(userId)) || MyDbConn.getSessionId(userId) == null)
{
WebSecurity.Logout();
}
}
}
}
The question remains: how can you add these attributes to your actions whilst giving them access to your database? That's easy: in Global.asax you can call into the bootstrapping RegisterGlobalFilters method:
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new SessionSecurityAttribute
{
MyDbConn = DependencyResolver.Current.GetService<MyDbConn>()
});
}
This adds your SessionSecurityAttribute, complete with DB connection, to every action by default, without a line of repeated code.
You might try implementing your own custom ISessionIDManager:
http://msdn.microsoft.com/en-us/library/system.web.sessionstate.isessionidmanager.aspx
In the validate, check to see if it's still valid, otherwise return false.
Related
I am writing custom authorize attribute for one requirement.
As per the requirement, I need to pass all the allowed roles for that particular action method like below.
[MyAuthorize("Admin,Reviewer")]
public ActionResult GetFXSelldownSummaryData()
{
var model = (new FXSelldownSummaryBLL()).GetFXSelldownSummaryData();
return View(model);
}
When the user logs in, the logged in user role should be compared against all the allowed roles (in the above code, all the allowed roles are Admin, and Reviewer). If the role matches, the user can see the view, otherwise the page should be navigated to Un authorized page.
I have wrriten the custom attribute like below, everything is working fine but I am ending up with Unauthorized access page for all the requests.
Can anyone please help to identify and solve the problem!
namespace MyRequirement
{
public class MyAuthorizeAttribute : AuthorizeAttribute
{
readonly string allowedRoles;
public MyAuthorizeAttribute(string allowedRoles)
{
this.allowedRoles = allowedRoles;
}
public System.Collections.Generic.List<string> AllowedRoles
{
get
{
return this.allowedRoles.Split(',').ToList();
}
}
private bool AuthorizeRole(AuthorizationContext filterContext)
{
var context = filterContext.RequestContext.HttpContext;
PnLUserDetails userDetails = System.Web.HttpContext.Current.Session["PnLUserDetails"] as PnLUserDetails;
string loggedInUserRole = userDetails.Role;
if (AllowedRoles.Contains(loggedInUserRole))
return true;
return false;
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
if (filterContext == null)
throw new ArgumentException("filterContext");
bool authStatus = AuthorizeRole(filterContext);
if(!authStatus)
{
filterContext.Result = new HttpUnauthorizedResult();
return;
}
}
}
}
Remove the call to
base.OnAuthorization(filterContext);
Change the code like this
public override void OnAuthorization(AuthorizationContext filterContext)
{
// This line is not needed, you are handling the authorization
// This is the line that will give you the unauthorized access by default
// base.OnAuthorization(filterContext);
if (filterContext == null)
throw new ArgumentException("filterContext");
bool authStatus = AuthorizeRole(filterContext);
if(!authStatus)
{
filterContext.Result = new HttpUnauthorizedResult();
return;
}
}
I've a custom AuthorizeAttribute in my website. It has some logic about the Result created for unathorized requests.
In some cases, I want to trigger its validation manually*. I don't know if its possible. As I haven't found how to do that, I thought that I could extract the logic to get the Result to a diferrent method, and call it when I want. But then I don't know how to execute the ActionResult (outside de controllers).
How can I do to manually execute authorize validation? If not possible, how can I do to execute an ActionResult outside a controller?
*I need to trigger it manually because some request may pass the validation (because the session is created) and then, when accessing my services, found that the session was closed by someone else. I wouldn't like to add a call to the services in OnAuthorization to reduce services calls.
I'm not sure if its the best, but I've found a way to get it working (still listening for better answers).
When I call the services and notice that the work session has expired, all I do is removing the active user in the web session.
My custom authorize attribute also implements IResultFilter and IExceptionFilter.
In both OnResultExecuted and OnException I validate the active user once more. If the session was removed, then apply the same ActionResult that I would apply in OnAuthorization.
Here is the final class:
public class CustomAuthorizeAttribute : AuthorizeAttribute, IResultFilter, IExceptionFilter
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
ActionResult result = Validate(filterContext.HttpContext);
if (result != null)
filterContext.Result = result;
}
public void OnResultExecuted(ResultExecutedContext filterContext)
{
ActionResult result = Validate(filterContext.HttpContext);
if (result != null)
filterContext.Result = result;
}
public void OnResultExecuting(ResultExecutingContext filterContext)
{
}
public void OnException(ExceptionContext filterContext)
{
ActionResult result = Validate(filterContext.HttpContext);
if (result != null)
{
filterContext.Result = result;
filterContext.ExceptionHandled = true;
}
}
public static ActionResult Validate(HttpContextBase httpContext)
{
if (UserActiveInSession)
return null;
// Different rules to build an ActionResult for this specific case.
}
}
I did not get Diego answer's, But Just simply answering the title, I got it to work like that, You can use it as attribute on controllers actions and also trigger it manually at any place in C# or in Razor views.
namespace SomeNameSpace
{
public class CustomAuthorizeAttributeMVC : AuthorizeAttribute
{
private readonly string[] rolesParams;
public CustomAuthorizeAttributeMVC(params string[] roles)
{
this.rolesParams = roles;
}
public bool IsAuthorized { get {
//Do your authorization logic here and return true if the current user has permission/role for the passed "rolesParams"
string[] allowedRoles = new string[] {"role 1", "role 2", "role 3"};
return allowedRoles.Intersect(rolesParams).Any(); //for the example
}
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return this.IsAuthorized;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
//...
}
}
public class AuthorizeHelper
{
public static bool HasPermission(params string[] roles)
{
return new CustomAuthorizeAttributeMVC(roles).IsAuthorized;
}
}
}
Usage example:
[CustomAuthorizeAttributeMVC("role 2")]
public ActionResult SomeAction()
{
return Content("Authorized !");
}
public ActionResult SomeOtherAction()
{
if(AuthorizeHelper.HasPermission("role 2"))
{
return Content("Authorized !");
}
return Content("401 Not Authorized !");
}
And as said, it can be used in Razor views by calling it normally
#if(AuthorizeHelper.HasPermission("role 2")) {
//...
}
Thanks
I am having issues with frequent Session Time Out.
I want to write a common filter that I could use on each controller, filter should redirect the user to login and after log in back to from where user sent the last request.
You could try something like this:
public class SessionExpireAttribute : ActionFilterAttribute {
public override void OnActionExecuted(ActionExecutedContext filterContext) {
base.OnActionExecuted(filterContext);
}
public override void OnActionExecuting(ActionExecutingContext filterContext) {
if (filterContext.HttpContext.Session != null) {
if (filterContext.HttpContext.Session.IsNewSession) {
var sessionCookie = filterContext.HttpContext.Request.Headers["Cookie"];
if ((sessionCookie != null) && (sessionCookie.IndexOf("ASP.NET_SessionId") >= 0)) {
// redirect to login
}
}
}
}
}
There's more here than meets the eye. Here's a more complete OnActionExecuting that uses the same concept already discussed above but adds a bit more. See inline comments for more info. The "InitializeSession" being called is a custom function which creates the basic attributes needed in Session State for running the site. "AlertWarning" is a Helper routine for displaying alerts. Everything else is boilerplate code.
protected override void OnActionExecuting(ActionExecutingContext filterContext)
{
var bRequiresAuthorization =
(filterContext.ActionDescriptor.GetCustomAttributes(typeof(AuthorizeAttribute), false).Length > 0) ||
(filterContext.Controller.GetType().GetCustomAttributes(typeof(AuthorizeAttribute), false).Length > 0);
if (filterContext.HttpContext.Session != null)
{
if (filterContext.HttpContext.Session.IsNewSession)
{
//New session. Initialize Session State
bool b = InitializeSession(null);
if (bRequiresAuthorization )
{
//Action requested requires authorized access. User needs to authenticate this
//new session first, so redirect to login
string cookie = filterContext.HttpContext.Request.Headers["Cookie"];
if ( (cookie != null) && (cookie.IndexOf("_SessionId=") >= 0) )
{
//An expired session cookie still resides on this PC, so first alert user that session is expired
AlertWarning("Session timed out due to inactivity. Please log in again.");
}
filterContext.Result = RedirectToAction("LogOut", "Authentication");
}
}
}
base.OnActionExecuting(filterContext);
}
Have you tried the existing Authorize filter?
as mentioned above .. try this
public class SessionExpireAttribute : ActionFilterAttribute {
public override void OnActionExecuting(ActionExecutingContext filterContext) {
if (filterContext.HttpContext.Session != null) {
if (filterContext.HttpContext.Session.IsNewSession) {
filterContext.Result = new RedirectResult("/");//redirect to home page
}
}
}
}
and then apply this filter over the action or controller [SessionExpire]
I'm making an ajax call using jquery to an asp.net mvc controller action:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult GetWeek(string startDay)
{
var daysOfWeek = CompanyUtility.GetWeek(User.Company.Id, startDay);
return Json(daysOfWeek);
}
When session times out, this call will fail, as the User object is stored in session. I created a custom authorize attribute in order to check if session was lost and redirect to the login page. This works fine for page requests, however it doesn't work for ajax requests, as you can't redirect from an ajax request:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class AuthorizeUserAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (!httpContext.Request.IsAjaxRequest())
{//validate http request.
if (!httpContext.Request.IsAuthenticated
|| httpContext.Session["User"] == null)
{
FormsAuthentication.SignOut();
httpContext.Response.Redirect("~/?returnurl=" + httpContext.Request.Url.ToString());
return false;
}
}
return true;
}
}
I read on another thread that when the user isn't authenticated and you make an ajax request, you should set the status code to 401 (unauthorized) and then check for that in js and redirect them to the login page. However, I can't get this working:
protected override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (Request.IsAjaxRequest() && (!Request.IsAuthenticated || User == null))
{
filterContext.RequestContext.HttpContext.Response.StatusCode = 401;
}
else
{
base.OnActionExecuting(filterContext);
}
}
Basically, it'll set it to 401, but then it'll continue into the controller action and throw an object ref not set to an instance of an object error, which then returns error 500 back to the client-side js. If I change my custom Authorize attribute to validate ajax requests as well and return false for those that aren't authenticated, that makes the ajax request return my login page, which obviously doesn't work.
How do I get this working?
You could write a custom [Authorize] attribute which would return JSON instead of throwing a 401 exception in case of unauthorized access which would allow client scripts to handle the scenario gracefully:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class MyAuthorizeAttribute : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
filterContext.Result = new JsonResult
{
Data = new
{
// put whatever data you want which will be sent
// to the client
message = "sorry, but you were logged out"
},
JsonRequestBehavior = JsonRequestBehavior.AllowGet
};
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
}
then decorate your controller/actions with it and on the client:
$.get('#Url.Action("SomeAction")', function (result) {
if (result.message) {
alert(result.message);
} else {
// do whatever you were doing before with the results
}
});
I wouldn't change JsonRequestBehavior to AllowGet. Instead I suggest:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public sealed class MyAuthorizeAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
OnAuthorizationHelp(filterContext);
}
internal void OnAuthorizationHelp(AuthorizationContext filterContext)
{
if (filterContext.Result is HttpUnauthorizedResult)
{
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
filterContext.HttpContext.Response.StatusCode = 401;
filterContext.HttpContext.Response.End();
}
}
}
}
and add global js ajax errors handler:
$(document).ajaxError(function (xhr, props) {
if (props.status === 401) {
location.reload();
}
}
Even though this is well past answered, I think this is the shortest and sweetest answer if you are using .NET 4.5. Little property called SuppressFormsAuthenticationRedirect which was added. Set to true and it will not perform the 302 Redirect to login page.
http://msdn.microsoft.com/en-us/library/system.web.httpresponse.suppressformsauthenticationredirect.aspx
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AjaxAuthorizeAttribute : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
// returns a 401 already
base.HandleUnauthorizedRequest(filterContext);
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
// we simply have to tell mvc not to redirect to login page
filterContext.HttpContext.Response.SuppressFormsAuthenticationRedirect = true;
}
}
}
Assuming you plan on handling the ajax requests fail/error callback, in which you will get a 401 Unauthorized.
On Master page add this jquery script ------------
<script type="text/javascript">
$.ajaxSetup({
statusCode: {
403: function () {
window.location.reload();
}
}
});
OR
$.ajaxSetup({
error: function (x, e) {
if (x.status == 403) {
window.location.reload();
}
}
});
</script>
Add a cs file named with TraceFilter in your project and write a seald class TraceFilterAttribute inheriting to ActionFilterAttribute.
Add TraceFilterAttribute class in FilterConfig.cs available in App_Start folder of your project by writing below line.
filters.Add(new TraceFilterAttribute());
Override method OnActionExecuting() in TraceFilterAttribute class. This will automatically check session and if finds session null then calls script available in master page and from their you can go to your choice page.
[AttributeUsage(AttributeTargets.All)]
public sealed class TraceFilterAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (filterContext != null)
{
HttpSessionStateBase objHttpSessionStateBase = filterContext.HttpContext.Session;
var userSession = objHttpSessionStateBase["etenetID"];
if (((userSession == null) && (!objHttpSessionStateBase.IsNewSession)) || (objHttpSessionStateBase.IsNewSession))
{
objHttpSessionStateBase.RemoveAll();
objHttpSessionStateBase.Clear();
objHttpSessionStateBase.Abandon();
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
filterContext.HttpContext.Response.StatusCode = 403;
filterContext.Result = new JsonResult { Data = "LogOut" };
}
else
{
filterContext.Result = new RedirectResult("~/Admin/GoToLogin");
}
}
}
}
}
I was having a similar issue and found this
Instead of returning any JSON, just before the response is sent back, force ASP.NET to return a 401 code. In Global.asax:
protected void Application_EndRequest()
{
var context = new HttpContextWrapper(Context);
if (context.Request.IsAjaxRequest() && context.Response.StatusCode == 302)
{
Context.Response.Clear();
Context.Response.Write("**custom error message**");
Context.Response.StatusCode = 401;
}
}
Then you can let the client deal with it in JavaScript/jQuery or whatever you are using
here is how I handle this in so simple way in my custom authorization , I check if session is out and handle this as un-authorized with a boolean to check if it is really authenticated but not authorized (to redirect to un-authorized page) or it is not authenticated due to session time out ( redirect to Login)
private bool ispha_LoggedIn = false;
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
ispha_LoggedIn = false;
var session = httpContext.Session;
bool authorize = false;
if (httpContext.Session["authenticationInfo"] == null)
{
return authorize;
}
using (OrchtechHR_MVCEntities db = new OrchtechHR_MVCEntities())
{
UserAuthenticationController UM = new UserAuthenticationController();
foreach (var roles in userAssignedRoles)
{
authorize = UM.IsUserInRole(httpContext.User.Identity.Name, roles);
if (authorize)
{
return authorize;
}
}
}
ispha_LoggedIn = true;
return authorize;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (ispha_LoggedIn==false)
{
filterContext.Result = new RedirectResult("~/UserAuthentication/LogIn");
}
else
{
filterContext.Result = new RedirectResult("~/Dashboard/UnAuthorized");
}
}
Hope if this guides someone and please if there're comments its appreciated to know them though.
You might want to try to throw HttpException and catch it in your javascript.
throw new HttpException(401, "Auth Failed")
on ajax call if session expired return something like this
<script>
$(function(){
location.reload();
});
</script>
haha...
I'm building my own membership system and I want nothing to do with the MS Membership provider. I've looked around the internet and here on StackOverflow but all I could found was membership providers built on top of the MS Membership provider.
Anyway, I've got almost everything hooked up now, but I'd like to use a custom Authorize attribute which utilized my membership infrastructure. I checked out this thread here on the site and I'm trying to do something similar, but I'm not sure that's quiet what I need. So far these are the classes I've got:
SessionManager:
public static class SessionManager : ISessionManager
{
public static void RegisterSession(string key, object obj)
{
System.Web.HttpContext.Current.Session[key] = obj;
}
public static void FreeSession(string key)
{
System.Web.HttpContext.Current.Session[key] = null;
}
public static bool CheckSession(string key)
{
if (System.Web.HttpContext.Current.Session[key] != null)
return true;
else
return false;
}
public static object ReturnSessionObject(string key)
{
if (CheckSession(key))
return System.Web.HttpContext.Current.Session[key];
else
return null;
}
}
SharweAuthorizeAttribute: (I am not really sure if that's actually what I should be doing)
public class SharweAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (SessionManager.CheckSession(SessionKeys.User) == true)
return true;
else
return false;
}
}
Now here's what I need:
Is my SharweAuthorizeAttribute class
correct in the first place?
I need to be able to redirect
unauthenticated users to the login
page
I need to authorize users based on
their roles (using my own role
provider) so I would do something
like:
[SharweAuthorize(Roles="MyRole")]
That's it I guess... Any suggestions are more than welcome :)
UPDATE:
Ok I just read that page again and found the solution to question number two:
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (SessionManager.CheckSession(SessionKeys.User) == false)
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary
{
{ "action", "ActionName" },
{ "controller", "ControllerName" }
});
}
else
base.HandleUnauthorizedRequest(filterContext);
}
Let me know if I got it right please...
Yes, you got it right (IMO it's safer and simpler to implement a custom membership provider, but it's your choice)
Yes, it's correct
You do it right
You inherit the roles property from the AuthorizeAttribute base class and you check in your implementation if the user is in the role.
Edit: a little more on the roles thing
if you have
[SharweAuthorize(Roles="MyRole")]
then you can check the Roles property in the AuthorizeCore method
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (SessionManager.CheckSession(SessionKeys.User) == true) {
if (SessionManager.CheckUserIsInRole( Roles )) // where Roles == "MyRole"
return true;
}
return false;
}