2

In a web app I am trying to introduce action attributes to add authentication in my actions. Right now I individually check for a valid session in each action.

I have created a custom attribute which uses AuthorizeAttribute:

public class BaseAuthAttribute : AuthorizeAttribute

And I decorate my actions with

[BaseAuth]

Now in the BaseAuthAttribute I have this code

public override void OnAuthorization(AuthorizationContext filterContext)
{
    var session = new BusinessLayer.PortalUser(filterContext.HttpContext.Request.Cookies["appname"]);
    if(!session.IsAuthorized()
    {
        filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary { { "controller", "Home" }, { "action", "Login" } });
    }
}

But when I do not have an active session, the Result = new line blows up with an object not sense to an instance of an object.

I am not using ASP.Net built in auth, but rather doing custom to determining if there is a session/user. So is filterContext only to be used when you are using the AP.Net membership classes?

I need to redirect to a view if their session is expired/non-existent, or indeed if they do have the correct permissions

Improve this question

1 Answer 1

Reset to default
1

I've designed a custom authorization attribute for me which checks for the user session and if expires redirects to the login page. You can check the session value in this.

public class SessionExpireAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        // check  sessions here
        if (HttpContext.Current.Session["employeeid"] == null)
        {
            filterContext.Result = new RedirectResult("~/Account/Login");
            return;
        }
        base.OnActionExecuting(filterContext);
    }
}

But you need to use this Attribute with Authorize attribute because of its just checking for session value.

Updated

If you are not using ASP.NET Mebership provider try out this

public class BaseAuthAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var session = new BusinessLayer.PortalUser(filterContext.HttpContext.Request.Cookies["appname"]);
        if (!session.IsAuthorized()
        {
            filterContext.Result = new RedirectResult("~/Account/Login");
            return;
        }
        base.OnActionExecuting(filterContext);
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

When you say I need to use this attribute with Authorize, do you mean I need both?
Yes, Becuase this attribute is just checking session value. You need to use Authorize attribute to authorize user
But the [Authorize] is for the ASP.Net membership stuff - I need custom validation so I do not think I need [Authorize]
Ok. I got it. But if you are not using Asp.Net membership then you cannot use CustomAuthorize attribute inherited from AuthorizeAttribute. However, you can use my provided custom attribute and make changes according to you.
@andrewb I've updated my answer with custom authorization attribute according to your requirement.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.