2

I'm very new to .NET and security. I've chosen to implement Forms authentication (correct me if I should use something else). From what I gathered on the internet, I did the following, but it's not working:

Web.config

<authentication mode="Forms">
   <forms loginUrl="~/Home/Index" timeout="30" />
</authentication>

HTTPPost ajax Login method:

 [HttpPost]
        public ActionResult Login(LoginInputModel loginModel)
        {
            if (ModelState.IsValid)
            {
                var success = UserService.Login(loginModel.Password, loginModel.Email);
                if (success)
                {
                    return Json(new { Url = Url.Action("Index","Home") });
                }
                loginModel.ErrorMessages = "Failed to log in with these credentials. Please try again.";
                return PartialView("Widgets/Login/_LoginInput", loginModel);
            }
            return PartialView("Widgets/Login/_LoginInput", loginModel);
        }

With actual login code in UserService class:

  public static bool Login(string password, string email)
        {
            var user = Connector.GetUserByCredentials(password, email);
            if (user == null) return false;
            FormsAuthentication.SetAuthCookie(email, false); // this line
            SessionService.Delete(UserSessionKey);
            SessionService.Store(UserSessionKey, UserMapper.DbUserToUser(user));
            return SessionService.HasKey(UserSessionKey);
        }

Whenever I hit login, it works okay (it refreshes the page and I see different content), but if I then navigate to another page, I get redirected to the login page again. What am I (not) doing wrong?

If you need more code, I'll be happy to post it.

PoeHaH
  • 1,936
  • 3
  • 28
  • 52
  • Why do you have ``? It should be the `Login()` method of your controller e.g. `/Account/Login` –  Dec 03 '14 at 22:19
  • Home/Index is the first page, containing a login widget that goes to Account/Login, so if i want to redirect to login page, it should be the Home/Index – PoeHaH Dec 03 '14 at 22:27

1 Answers1

17

When you say you're using MVC5, what version of Visual Studio are you using? Are you using an application that was originally created by a default wizard?

If the application was created by the default wizard, then by default it enables ASP.NET Identity, and it removes the FormsAuthentication module from processing. If you want to keep using FormsAuth then you have to remove the "remove" key from the web.config for the FormsAuthentication module.

You need to remove this line

<system.webServer>
    <modules>
        <remove name="FormsAuthentication" /> <----****
    </modules>
</system.webServer>
Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
  • 3
    @PoeHaH - no need, it's kind of obscure... most people just use ASP.NET Identity and don't try to revert back to FormsAuthentication. – Erik Funkenbusch Dec 04 '14 at 06:08
  • Should I leave forms auth behind and also go to Identity? Is there a good beginners tutorial out there how I can have my own user database working with Identity? – PoeHaH Dec 04 '14 at 06:48