Login system in ASP.NET mvc

Question

Login system in ASP.NET mvc

Navigation

#1 by (5 votes)

2

How do I implement a login system in an ASP.NET MVC application. Do I use Forms Authentication or Identity? I've been reading about Identity and wanted to see a basic example of Identity using the MVC web template without Authentication authentication. If not, a Forms Authentication example in MVC.

asp.net-mvc asp.net-mvc-5

asked by anonymous 17.05.2015 / 04:59

1 answer

How to redirect page after login in php? How do I get the entire HTML of the last Fieldset in a dynamic page?

score 5 · Accepted Answer

Most of the tools you used in ASP.NET with Web Forms are available in Asp.net MVC, the Framework has evolved, but that does not mean that you no longer have the other tools. Therefore, you can implement an authentication mechanism based on a repository or service, just as you did before. A simplistic example would be a table in the database where you validate a login and password typed in a form.

It is important to highlight that Authorization is different from authentication, the act of authenticating a user is similar to conferring an identity, whereas authorizing is to allow someone identified to use a resource (control urls that someone can access). >

So, in a very simple system, you would configure your Web.config for the Forms authentication type, with the controller / action url that logs in (the login form) and then it does a method which returns a boolean by checking true for the correct login and password and false for wrong.

Sample of a Web.config:

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>

If you set the login and password, you authenticate it using the method:

FormsAuthentication.SetAuthCookie(username, false);

Where username is the login and ready, you have built an MVC application with using forms-based custom authentication.

It's important to note that if you control the login, but it does not restrict access to the controllers or actions for authenticated users, then you are not doing anything. :)

To restrict access to a Controller or an action, you can use an "Authorize" attribute, as in the example below:

public class HomeController : Controller
{
    [Authorize]
    public ActionResult Index()
    {
        ViewBag.Message = "Welcome to ASP.NET MVC!";

        return View();
    }

    [Authorize(Roles="Admin")]
    public ActionResult About()
    {
        return View();
    }
}

This is not a good way to do Authorization, notice that in one of the controller methods I only allow Admin (fixed in the code) access, this should be controlled dynamically, because in practice you control several profiles dynamically in real-world applications.

Another problem is that you have to remember which areas (controller / action) are restricted, so sometimes you might wonder if it's worth having a ControllerBase class and inheriting its controllers from it, then you restrict that class's access, even though that you too can fail to inherit from it. Automatic testing or code review would help.

A good basics article on Custom Authentication: link

Remember that the method that does custom authentication is your responsibility, so you can use the repository you need. For example, I worked on a project where we used forms to authenticate the user in the Active Directory of the network, I used Forms the same way, the difference was the method to authenticate.