0

I'm implementing a login to my website by simply authenticating the user and recording it's information in cookies. In order to protect pages that require registered users, what I'm doing is to call a method that reads the cookie and tries to authenticate the user again, so if the cookie is not expired and the user and pass inside of it is found in the db, the session goes on.

Since I'm calling this method in every action in the controller, I'm kind of unsure if what I'm doing is right or not, so my question is that is there a better way to secure the access to the controller without having to rewrite the same code over and over ?

Example of what I've done:

public ActionResult Act1 () {
     if (CheckCookie() == true)
        return View();
     else 
        return RedirectToAction("Login","Home");
}

public ActionResult Act2 () {
     if (CheckCookie() == true)
        return View();
     else 
        return RedirectToAction("Login","Home");
}

As you can see the same kind of code is repeated in each action in the way I'm implementing the login.

Improve this question
2
  • You should create a new Internet type mvc.net website and check out how the generated sample uses [Authorize] on the Controllers and/or Actions that require users to be authenticated. Commented May 3, 2014 at 22:39
  • @MattiasÅslund: The Visual Studio template uses Memberships, I'm not interested in that, I have my own database and I use entity framework. Commented May 3, 2014 at 22:41

1 Answer 1

Reset to default
2

You will want to have a look at http://www.asp.net/identity as this is a great starting point for performing authentication within an ASP.NET website. It includes links to resources on how to create new project templates using OAuth, OpenId or FormsAuthentication.

You are trying to write your own kind of Forms Authentication which is not necessary. In ASP.NET MVC if you implement FormsAuthentication using ASP.NET Identity or other classes you can have those classes securely write the cookie and retrieve it for you at runtime (securely). With Forms Authentication in place on your ASP.NET MVC Website you can then decorate your controllers or action methods with decorators such as [Authorize] or [AllowAnonymous] which controls access to those resources (securely).

Please have a look at that reference and as was suggested in comments, create a new Template in MVC and have a look at the sample code the template creates for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Pepto: (No disrespect my friend), no part of your answer was any help BUT this one "[Authorize]", you plated the idea of creating a custom attribute for the actions in my mind unintentionally. Thank you very very much. Gave you a +1
Well I'm glad I could help then =) apologies for the long winded version. Happy Coding!
@Pierre I mostly write websites for existing user databases. Create custom MembershipProvider and RolesProvider and register them in Web.Config. Then you can use the normal decorators against your own user database. You really shouldnt write the plumming yourself.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.