Authorization in MVC

Question

[HttpPost]
    public ActionResult Login(UserVM userVM)
    {         
       if (ModelState.IsValid || userVM.CheckWindowsAuth)
            {
                _userLF.UserName = userVM.UserName;
                _userLF.Password = userVM.Password;

                if (_userLF.AuthenticateUser(_userLF, userVM.CheckWindowsAuth))
                {
                }

The above line takes my user name and password for authentication and returns true or false.

I have added Authorize attribute to all other controller like below:

[Authorize]
public class ClaimsController : Controller
{}

When my below line in my Login method confirms that user is authenticated successfully by returning true, I want [Authorize] to be overridden in other controller.

if (_userLF.AuthenticateUser(_userLF, userVM.CheckWindowsAuth))
{
}

For example the controller below even when user authentication returns true, but because I have given Authorize attribute to Home controller the control does not enter the Home Controller. I want Authorize attribute to know that user is already authenticated and let request successfully map to my action in this controller (so I can open Home page):

[Authorize]
public class ClaimsController : Controller
{
}

Answer 1

If You do not want to use ASP built-in things like MembershipProvider and Identity, the fastest way would be to create a custom authorize attribute. Please check this link or this link for more information.

For Your custom attribute to work, it will need to get information that you have in Your _userLF. This can be stored in session. So, at Login method You check user's information and store it in session, this information is later used by Your custom authorize attribute, then at log off this information is cleared using Session.Clear(). You can check this answer for an example of an attribute.

Answer 2

You can create your own Authorization attribute. Something like this:

    public class MyAuthorizeAttribute : AuthorizeAttribute
    {
        public override bool Authorize()
        {
            //Your logic here    
            if (_userLF.AuthenticateUser(_userLF, userVM.CheckWindowsAuth))
            {
                return true;
            }
            else
            {
                return false;
            }
        }
    }

and in your controller use this new created attribute:

[MyAuthorizeAttribute]
public class ClaimsController : Controller
{
}

Answer 3

If I understand you question correctly, I think you need to set Auth cookie if you are using FormsAuthentication after successful authentication.

You can do so by calling:

FormsAuthentication.SetAuthCookie(username, rememberMe);

Above call will create an authentication ticket for the given userName and attaches it to the cookies collection of the outgoing response.

So basically your code will look like below:

    [HttpPost]
    public ActionResult Login(UserVM userVM, bool rememberMe = false)
    {
        if (ModelState.IsValid || userVM.CheckWindowsAuth)
        {
            _userLF.UserName = userVM.UserName;
            _userLF.Password = userVM.Password;

            if (_userLF.AuthenticateUser(_userLF, userVM.CheckWindowsAuth))
            {
                FormsAuthentication.SetAuthCookie(userVM.UserName, rememberMe);
            }
        }
    }

Once the authentication token is set, it will be sent in every request and you will see Request.IsAuthenticated to true. Authorize attribute will let the request pass through to target controller action with this set up.