0

We'd like to support password protected pages in our CMS application. The scenario is that an administrator can set a password for a page and upon visiting the page URL, a site visitor would be prompted to enter the password in order to view the page.

The password storage / validation mechanism is not important here. What I'd like to know is the best way to handle multiple authentication cookies with the OWIN Cookie Auth middleware since we'd like the cookie to be persistent so a user does not have to re-enter the password if they refresh the page.

Options I considered:

  1. Setting the path of the auth cookie to the individual page that has been password protected - this way it won't interfere with other password protected pages
  2. Making the cookie name unique to the page being accessed

The issue I can see with the above approaches is that I'm not sure the above options can be configured dynamically at runtime.

Perhaps using the cookie middleware is overkill for this so I'm open to other solutions.

Ben Foster
  • 34,340
  • 40
  • 176
  • 285
  • What do you mean by individuel? By default the cookie transers between pages. Are you by chance looking into user roles? For example [`[Authorize(Roles="Admin")]`](http://bitoftech.net/2015/03/11/asp-net-identity-2-1-roles-based-authorization-authentication-asp-net-web-api/) – Christian Gollhardt May 04 '16 at 08:51
  • By individual I mean that after the cookies are page specific, not domain so authenticating to `/pages/somepage` will not grant access to `/pages/someotherpage`. Roles won't help us here. – Ben Foster May 04 '16 at 08:56
  • Why not have 2 roles like `CanAcessSomepage` and `CanAcessSomeotherpage`? Maybe you want authentificate on [specific permissions](http://stackoverflow.com/questions/19512935/custom-authorization-permissions-asp-net-mvc). Is there any reason, you have page specific cookies? – Christian Gollhardt May 04 '16 at 09:04
  • Maybe I didn't make it clear but the pages are dynamic and not all are password protected so we can't use authorize attributes. Thinking about it further i think we'll just create signed cookies for the page ourself. – Ben Foster May 04 '16 at 09:27
  • You coud create your own `AuthorizeAttribute` and decorate your `PageController` with it. It seems like, [you can get route data in this attribute](http://stackoverflow.com/a/5554316/2441442) – Christian Gollhardt May 04 '16 at 10:19

0 Answers0