I've implemented something like this: Windows Authentication with ASP.NET MVC
Background - this is an intranet application and uses Active Directory - the application maintains its own list of users (i.e. network logins) and roles - I have a custom Membership and RoleProvider classes that performs the Membership.ValidateUser logic, etc. - the validation logic: * if the user (network login) is in the application user table they are Signed-in * upon access to any URL/action, auto-sign in if not already * if user NOT in system, redirect them to a "NoPermission" page * the [Authorize(Roles = "blah")] attribute is also used
Here's my controller OnAuthorize code on my controller: protected override void OnAuthorization(AuthorizationContext authContext) {
if (!this.HttpContext.Current.User.Identity.IsAuthenticated) { string networkLogin = HttpContext.Current.Request.LogonUserIdentity.Name; if (this.MembershipService.ValidateUser(networkLogin)) { FormsAuthentication.SignIn(networkLogin, true); base.OnAuthorization(authContext); } } } And here's a snippet from my Web.Config
<authentication mode="Forms"> <forms loginUrl="~/Home/NoPermissionIndex" timeout="1" defaultUrl="~/Home/Index" /> </authentication> The Problem Most things work EXCEPT on first-time access, the user gets logged in but is still redirected to the "NoPermission" page. Further, when the session/cookie/ticket (what's the difference, btw?), the user is also redirected to the "NoPermission" page.
I read from here ASP.NET MVC HttpContext Getting IdentityName after LogOn that a likely problem might be due to the authentication cookie not being present in the request, and that we have to send it in the response so that the client browser will send it in the request on subsequent calls.
If that's the case, how do I solve this on first access? And secondly, how do I make the cookie never expire? (Or just give timeout a really big number? Or some other solution?)
Help please!
Thanks.
