2

We are trying to do some website which has login screen. But we have a problem. Our domain is localhost/Login/User. But if user enters localhost/Home/Index, he/she can reach our main site without login. So we wrote [Authorize] to our Index Controller. But I couldn't find out what I must use. Am I have to use AuthorizeAttribute in our project?

#Login Page public class LoginController : Controller { //GET: Login [IntranetAction] public ActionResult Users() { return View(); } public ActionResult Authentication(UserLoginInfo loginInfo) { bool isAuthenticated = new LdapServiceManager().isAuthenticated(loginInfo); if (isAuthenticated) { //AUTHORIZED Session["userName"] = loginInfo.username; return Redirect("/Home/Index"); } //WORNG PASSWORD, BACK TO LOGIN PAGE TempData["message"] = "Yanlış kullanıcı adı ya da şifre"; return Redirect("/"); } }

Index Page

[Authorize] public ActionResult Index() { Session["ip"] = Request.UserHostAddress; if (IsDbExists()) { _contactList = new List<Contact>(); UpdateOperations(); return View(_contactList); } Response.Redirect("/Loading/LoadingScreen"); return null; }

How can I access index in my LoginController/Authentication function

Improve this question

1 Answer 1

Reset to default
2

Add [AllowAnonymous] attribute. I would add another controller called AuthController which would have an [AllowAnonymous] attribute so users would be able to log in without actually being logged in.

I usually would filter all controllers by default and would add the [AllowAnonymous] attribute to the ones that would be accessed by anyone.

I use this to deal with that.

using System.Web.Mvc; namespace Test { public class FilterConfig { public static void RegisterGlobalFilters(GlobalFilterCollection filters) { filters.Add(new HandleErrorAttribute()); filters.Add(new AuthorizeAttribute()); } } }

An example of the [AllowAnonymous] attribute in the AuthController.

using System.Security.Claims; using System.Web; using System.Web.Mvc; using BusinessLogic.Services; using Common.Models; using Microsoft.AspNet.Identity; using Microsoft.Owin.Security; namespace Test.Controllers { [AllowAnonymous] public class AuthController : Controller { private readonly IUsersService _usersService; public AuthController(IUsersService usersService) { _usersService = usersService; } [HttpGet] public ActionResult LogIn() { return View(); } [HttpPost] public ActionResult LogIn(LoginModel loginModel) { if (!ModelState.IsValid) { return View(); } var isValid = _usersService.AuthenticateUser(loginModel); if (isValid) { var identity = new ClaimsIdentity(new[] { new Claim(ClaimTypes.NameIdentifier, loginModel.Username), new Claim(ClaimTypes.Name, loginModel.Username), }, DefaultAuthenticationTypes.ApplicationCookie); Request.GetOwinContext().Authentication.SignIn(new AuthenticationProperties() { IsPersistent = false }, identity); return Redirect(GetRedirectUrl(loginModel.ReturnUrl)); } ModelState.AddModelError("", "Invalid credentials"); return View(); } public ActionResult LogOut() { var ctx = Request.GetOwinContext(); var authManager = ctx.Authentication; authManager.SignOut("ApplicationCookie"); return RedirectToAction("index", "home"); } private string GetRedirectUrl(string returnUrl) { if (string.IsNullOrEmpty(returnUrl) || !Url.IsLocalUrl(returnUrl)) { return Url.Action("index", "home"); } return returnUrl; } } }

References which might help you : http://benfoster.io/blog/aspnet-identity-stripped-bare-mvc-part-1

https://softwareengineering.stackexchange.com/questions/284380/is-formsauthentication-obsolete

Role-based access control (RBAC) vs. Claims-based access control (CBAC) in ASP.NET MVC

https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.