In my ASP.Net MVC web application any unauthenticated and anonymous user can type a URL ( for example localhost:16621/Controller/Index/1 ) and access that page. How can I prevent from this???
In ASP.NET MVC, use the AuthorizeAttribute. But you'll probably need a user system that uses a database or authenticates against Google/Facebook using Oauth.
Take a look at the [Authorize] attribute.
You can find more details here and here.
Related
I'm trying to implement role based authentication, in my AuthController I have retrieved the user's Windows username and checked it against the database users table to find their record, now that I have found their role I want to assign it to them so that they can access protected routes. What is the simplest way to achieve this?
Right now all I am doing in the AuthController is setting their auth cookie.
The best and correct way is to use ASP.NET MVC Identity Framework. It is designed to handle authentication and authorization of MVC apps. It supports role based auth. You can start from here.
I'm implement aspnet identity with my MVC5 project. I have configured my project to use cookie authentication, form authentication and external authentication (facebook and google). Everything work fine.
Now i have a requirement to log whenever user log in system and i need to do some further logic. For the form authentication and external authentication i have a controller action that i can add my logic. However for the case user just come back system via cookie, how do i handle it?
I'm sure there's a better way to handle this, but a basic method would be to track all activity by the user, and then use timestamps to determine when a user was last active on your site.
Discussed here: Track user activity/actions for an asp.net mvc website?
OnExecuting filters here: https://msdn.microsoft.com/en-us/library/gg416513%28VS.98%29.aspx
I am developing an asp.net mvc application and have created my custom user database and registration procedure (need email verification). Can I use FormsAuthentication.SetAuthCookie with my own login procedure, without dealing with asp.net's membership provider? Will doing so work with the [Authorize] attribute?
Yes, you can use FormsAuthentication.SetAuthCookie within your own login procedure, in fact, that's what the default asp.net mvc template uses.
[Authorize] will work since FormsAuthentication.SetAuthCookie populates HttpContext.User.Identity.IsAuthenticated to true.
My ASP.NET MVC site requires forms-based authentication for some resources (downloads, discussion forum, etc). This works great with the [Authorize] attribute.
However, I need my admin site (`~/Areas/Admin/*) to authenticate against active directory.
With regular ASP.NET or classic ASP, I would just go into the IIS config and change the directory security to deny anonymous users. However, I can't figure out a way to do that with an area.
I know putting the [authorize] attribute on the controllers in my admin area would require a login, but it'll use the same forms-based authorization as the public areas of the site. Right now that authenticates users against a database (not using the ASP.NET Membership system as it's overkill for my app). I need users to authenticate against the domain, but ONLY in the Admin area.
Ideas?
You will need to write your own custom Domain authorize attribute and add this to the admin controllers.
Have a look at the answer here: asp.net mvc Adding to the AUTHORIZE attribute
I'd like to use LiveID on an ASP.NET MVC site. Should I still use the ASP.NET Membership provider? How about the default MVC Account controller? I have things working without either, but:
Using the Membership controller lets me see when a user last logged in.
Using the Account controller makes setting authentication cookies a bit easier.
Thoughts?
Answered here before, Peter Bromberg has a nice sample. You would still use the Membership provider albeit as a custom provider.