5

I'm creating a new ASP.NET web application and I'm not planning on making use of the concept of "roles". I do, however, want to make sure a user is logged in on certain pages. Is there any existing attribute that simply checks if a user is logged in and redirects them or throws an error if they're not? Every search I've done points to using roles (such as this one).

muttley91
  • 12,278
  • 33
  • 106
  • 160
  • 1
    Decorating an action with the `[Authorize]` attribute will only return successfully when the user is logged in. There's also `Request.IsAuthenticated` – trashr0x Sep 04 '15 at 22:21
  • you could also add the [Authorize] attribute to the whole class. – Anonymous Sep 04 '15 at 22:22
  • Take a look at this question http://stackoverflow.com/questions/32095889/mvc-authentication-easiest-way/32096289#32096289 Hope it helps. – Fabio Sep 04 '15 at 22:24

2 Answers2

11

The [Authorize] attribute will only return successfully if the user initiating the request is logged in and will only work on controllers and action methods.

It can be used to decorate a particular action:

public class FooController : Controller
{
    // only FooAction requires authentication in FooController
    [Authorize]
    public async Task<ActionResult> FooAction()
    {        

    }

    public async Task<ActionResult> BarAction()
    {

    }
}

...or an entire controller:

// all actions in FooController require authentication
[Authorize]
public class FooController : Controller
{
    public async Task<ActionResult> FooAction()
    {        

    }

    public async Task<ActionResult> BarAction()
    {

    }
}

You also have Request.IsAuthenticated which can be used on both action and non-action methods:

if (Request.IsAuthenticated) //or @if in Razor
{
    //request is authenticated 
}

...and even User.Identity.IsAuthenticated as @Darko correctly pointed out in his answer. Personally, I prefer Request.IsAuthenticated over User.Identity.IsAuthenticated as it also provides some useful null-checks for User and User.Identity. Here's how Request.IsAuthenticated looks under the hood:

public bool IsAuthenticated
{
    get
    {
        return(_context.User != null 
               && _context.User.Identity != null 
               && _context.User.Identity.IsAuthenticated);
    }
}
trashr0x
  • 6,457
  • 2
  • 29
  • 39
  • 1
    Great answer! I'll make use of each of these options. – muttley91 Sep 05 '15 at 04:45
  • But for aspx pages there is not attribute to check roles or authorization, like in MVC? You have to do this in code? – FrenkyB Feb 18 '19 at 00:34
  • 1
    @FrenkyB yes, there's an `` element you can set up in `web.config`, see [here](https://stackoverflow.com/a/4217649/4302070) - you can also use `User.IsInRole("RoleName")` – trashr0x Feb 18 '19 at 08:29
-2

You can use User property, just put if() where it can control access and that's it. protected void Page_Load(object sender, EventArgs e)

{
    if (User.Identity.IsAuthenticated)
    {
        Page.Title = "Home page for " + User.Identity.Name;
    }
    else
    {
        Page.Title = "Home page for guest user.";
    }
}

This should work after you set the web.config . Here is the documentation https://msdn.microsoft.com/en-us/library/9wff0kyh(v=vs.85).aspx

Darko
  • 67
  • 5
  • 2
    Problem with your link - it talks about Forms Authentication. And Identity framework which is question is about does not use that. Though the part of code where you check `IsAuthenticated` is correct, the rest of sample is not - in MVC there is no `Page` object - you are talking about WebForms, and the question is not about WebForms. – trailmax Sep 05 '15 at 11:21
  • Nothing more to add, just downvoted because it wasn't relevant to the user's question, though it's important information all the same. – maniak1982 Feb 16 '17 at 21:08