OnInit and Session in MVC

Question

In ASP.Net, we previously wrote this code for authorization :

public class PageBase : System.Web.UI.Page
{
    protected override void OnInit(System.EventArgs e)
    {
        string CurrentPath = HttpContext.Current.Request.Url.AbsolutePath.ToLower();

        //Check If User Access to this Path
        if(WebUser.Access(CurrentPath) == false)
        {
            Reposponse.Redirect("Loagin.aspx");
        }
    }    
}

And WebUser is a Session that Contains user data:

public User WebUser
{
    get
    {
        if (HttpContext.Current.Session["User"] != null)
        {
            return (User)HttpContext.Current.Session["User"];
        }
        else
        {
            HttpContext.Current.Response.Redirect("Login.aspx", true);
            return null;
        }
    }
}

we inherit all page from PageBase.

Now if I want to write similar code using MVC where I can write a code that run on every request?

Thank

This looks like a very strange custom authorization system. But in general if you're just looking to inject custom code into the framework's request/response pipeline then a custom action filter seems like the ideal approach: https://stackoverflow.com/questions/9511462/run-a-method-in-each-request-in-mvc-c The filter can be applied to specific actions or controllers by way of an attribute, or registered globally to execute on every request. — David, Oct 30 '17 at 12:39
Replaced the `C#-7` tag with `C#` as this doesn't seem specific to v7 of the compiler. Please feel free to undo my change if I am wrong in this regard. — David Arno, Oct 30 '17 at 12:45
Do not misuse Session State for tracking authentication state! By doing this you are introducing a serious security flaw in your application. There are many secure (pre-built / out of the box) ways to track authentication in an asp.net (including mvc) based application like asp.net-identity to name one. — Igor, Oct 30 '17 at 13:14
@Igor Please explain what security consideration should I attend? You mean sessions aren't secure? What type of attacks may occur for me? Thanks — Arian, Oct 30 '17 at 19:41

score 2 · Accepted Answer · answered Oct 30 '17 at 13:21

You want to authenticate and authorize the user in MVC as per your question. You can authenticate and authorize a user using the Authentication and Authorization filters. It is very simple,

You need to create authentication and authorization filter and
then you need to use that filter on Controller(when validating for all action method mentioned in that controller) or Action method (when validation for only action method) as an attribute.

Please look the link to check how we can create authentication and authorization filter and how we can use them in code.

score 1 · Answer 2 · answered Oct 30 '17 at 13:14

You could create a BaseController class and apply it to each of your MVC Controllers. You could add your universal properties and methods to that:

public class ControllerBase : Controller
{
    public string UniversalPath { get; set; }

    public ControllerBase()
    {          
    }
}

And then have your MVC page controllers inherit from your BaseController instead of the default Controller class:

public class ExamplePageController : ControllerBase
{
    public ActionResult Index(int id)
    {
        return View();
    }
}

OnInit and Session in MVC

2 Answers2