1

I want to control access to certain pages of my app by cookie. But I want to coordinate this from only one place. I thought put a check in a Layout.cshtml I.E. That way all pages use this Layout will do automatically. Is that good?

Edit: Security for this app its not a concern.

abatishchev
  • 98,240
  • 88
  • 296
  • 433
ramires.cabral
  • 910
  • 4
  • 13
  • 28

4 Answers4

3

You're violating one of the core principles of MVC – never put real logic in a view.

Instead, you should create an ActionFilter.

You should also figure out how to secure the cookie; you should probably use ASP.Net's existing membership system

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • http://msdn.microsoft.com/en-us/library/dd410209(v=vs.100).aspx http://msdn.microsoft.com/en-us/magazine/gg232768.aspx – SLaks Dec 27 '12 at 19:56
1

No, it's not good because cookies can be manipulated easily by anyone.

Why don't you want to use the normal Authentication and Authorization techniques that are already available?

Icarus
  • 63,293
  • 14
  • 100
  • 115
  • Thanks. In this case, security is not a concern. Its an app for out intranet. The controlling I mean its more to user experience aspect. – ramires.cabral Dec 27 '12 at 19:39
1

Using cookies for controlling access to pages does NOT sound like a good idea. You will have to create a way to secure the cookie, which isn't easy. Without that, your authentication will be easy to spoof.

I would recommend that you use the built in authentication and authorization mechanisms for MVC 4, which is well tested and built for this purpose. Here is one article to get you started.

Using the [Authorize] and [AllowAnonymous] attributes of MVC4, you can be quite flexible when restricting parts of your site to authorized users.

I've posted a more lengthy example using above mentioned attributes as an answer to another SO question.

Community
  • 1
  • 1
Christofer Eliasson
  • 32,939
  • 7
  • 74
  • 103
  • Correct me if I'm wrong but Authorize & AllowAnonymous are about authorization, but doesn't say anything about authentication. ASP.NET membership is still usable in ASP.NET MVC and is still based on cookies (which work pretty well if used correctly) – Simon Mourier Dec 27 '12 at 19:06
  • @SimonMourier That is correct, you'll need authentication as well, which you'll get bootstrapped if you start a new MVC4 project I believe (easy to activate OAuth-authentication as well). The point I wanted to make is that you can be quite flexible in controlling access to certain pages using those attributes. – Christofer Eliasson Dec 27 '12 at 19:20
  • As I mentioned above security, in this specific case, its not that important. Thanks... – ramires.cabral Dec 27 '12 at 19:41
0

you should use the Authorize attribute on your controllers/pages instead of cookies and restrict the pages to certain roles and assign users to roles.

Nikola Sivkov
  • 2,812
  • 3
  • 37
  • 63