2

We are trying to do some website which has login screen. But we have a problem. Our domain is localhost/Login/User. But if user enters localhost/Home/Index, he/she can reach our main site without login. So we wrote [Authorize] to our Index Controller. But I couldn't find out what I must use. Am I have to use AuthorizeAttribute in our project?

#Login Page
public class LoginController : Controller
{
     //GET: Login
    [IntranetAction]
    public ActionResult Users()
    {
        return View();
    }

    public ActionResult Authentication(UserLoginInfo loginInfo)
    {
        bool isAuthenticated = new LdapServiceManager().isAuthenticated(loginInfo);


        if (isAuthenticated)
        {
            //AUTHORIZED
            Session["userName"] = loginInfo.username;
            return Redirect("/Home/Index");
        }
        //WORNG PASSWORD, BACK TO LOGIN PAGE
        TempData["message"] = "Yanlış kullanıcı adı ya da şifre";
        return Redirect("/");
    }
}

Index Page

[Authorize]
public ActionResult Index()
{
    Session["ip"] = Request.UserHostAddress;
    if (IsDbExists())
    {
        _contactList = new List<Contact>();
        UpdateOperations();
        return View(_contactList);
    }

    Response.Redirect("/Loading/LoadingScreen");
    return null;
}

How can I access index in my LoginController/Authentication function

tereško
  • 58,060
  • 25
  • 98
  • 150
Berkin
  • 1,565
  • 5
  • 22
  • 48

1 Answers1

2

Add [AllowAnonymous] attribute. I would add another controller called AuthController which would have an [AllowAnonymous] attribute so users would be able to log in without actually being logged in.

I usually would filter all controllers by default and would add the [AllowAnonymous] attribute to the ones that would be accessed by anyone.

I use this to deal with that.

using System.Web.Mvc;

namespace Test
{
    public class FilterConfig
    {
        public static void RegisterGlobalFilters(GlobalFilterCollection filters)
        {
            filters.Add(new HandleErrorAttribute());
            filters.Add(new AuthorizeAttribute());
        }
    }
}

An example of the [AllowAnonymous] attribute in the AuthController.

using System.Security.Claims;
using System.Web;
using System.Web.Mvc;
using BusinessLogic.Services;
using Common.Models;
using Microsoft.AspNet.Identity;
using Microsoft.Owin.Security;

namespace Test.Controllers
{
    [AllowAnonymous]
    public class AuthController : Controller
    {
        private readonly IUsersService _usersService;

        public AuthController(IUsersService usersService)
        {
            _usersService = usersService;
        }

        [HttpGet]
        public ActionResult LogIn()
        {
            return View();
        }

        [HttpPost]
        public ActionResult LogIn(LoginModel loginModel)
        {
            if (!ModelState.IsValid)
            {
                return View();
            }

            var isValid = _usersService.AuthenticateUser(loginModel);
            if (isValid)
            {
                var identity = new ClaimsIdentity(new[]
                {
                    new Claim(ClaimTypes.NameIdentifier, loginModel.Username),
                    new Claim(ClaimTypes.Name, loginModel.Username),
                }, DefaultAuthenticationTypes.ApplicationCookie);

                Request.GetOwinContext().Authentication.SignIn(new AuthenticationProperties() { IsPersistent = false }, identity);

                return Redirect(GetRedirectUrl(loginModel.ReturnUrl));
            }

            ModelState.AddModelError("", "Invalid credentials");
            return View();
        }

        public ActionResult LogOut()
        {
            var ctx = Request.GetOwinContext();
            var authManager = ctx.Authentication;

            authManager.SignOut("ApplicationCookie");
            return RedirectToAction("index", "home");
        }

        private string GetRedirectUrl(string returnUrl)
        {
            if (string.IsNullOrEmpty(returnUrl) || !Url.IsLocalUrl(returnUrl))
            {
                return Url.Action("index", "home");
            }
            return returnUrl;
        }
    }



}

References which might help you : http://benfoster.io/blog/aspnet-identity-stripped-bare-mvc-part-1

https://softwareengineering.stackexchange.com/questions/284380/is-formsauthentication-obsolete

Role-based access control (RBAC) vs. Claims-based access control (CBAC) in ASP.NET MVC

https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet

Community
  • 1
  • 1
Monroy
  • 420
  • 5
  • 19