1

I have two views Login.cshtml and Info.cshtml. In the first, the user enters his personal account and clicks the Login button. After that, it goes to the Info.cshtml view. Information about the user should be displayed in it.

Code PersonalAreaController.cs


    public class PersonalAreaController : Controller 
    {
      private readonly CompanyContext _context;
      private Users User { get; set; }
      public PersonalAreaController(CompanyContext context)
      {
         _context = context;
      }
      public IActionResult Login()
      {
         return View();
      }
      [HttpPost]
      [ValidateAntiForgeryToken]
      public async Task<IActionResult> Login([Bind("PersonalAccount")] Users user)
      {
         if (ModelState.IsValid)
         {
            User = await _context.Users.FirstOrDefaultAsync(
                        c => c.PersonalAccount == user.PersonalAccount);
            return RedirectToAction(nameof(Info));
         }
         return View();
      }
      public IActionResult Info()
      {
         return View(User);
      }
    }
Nooruz
  • 19
  • 7
  • 1
    Is the C tag relevant for this question? – Support Ukraine Aug 30 '19 at 07:36
  • what does "unable to" mean exactly? You get an error or unexpected behaviour? Or you don't understand how to do something? Please explain the nature of your problem clearly and in detail. We can't run your code or see your data etc, so we rely on your description in order to be able to help you. Thanks. – ADyson Aug 30 '19 at 08:17
  • I'm going to guess the issue is because you don't pass any kind of model into the Info() action. You need to just return that view, with a model object, rather than redirecting. (Or, a common solution is you redirect but pass an ID instead of a whole model, and then the Info() action would take that ID and fetch the data from the database. – ADyson Aug 30 '19 at 08:18
  • P.S. Your "login" action doesn't seem to be actually verifying whether the user exists or has valid credentials - right now you simply run a query and then redirect, regardless of the result. Did you forget that, or are you planning to complete the code later? – ADyson Aug 30 '19 at 08:20
  • 2
    You may need to log the user in using the ASP.NET infrastructure. Take a look at https://stackoverflow.com/questions/19091157/how-do-you-login-authenticate-a-user-with-asp-net-mvc5-rtm-bits-using-aspnet-ide – Martin Staufcik Aug 30 '19 at 08:21
  • @MartinStaufcik it's not necessary to deal with this specific issue, but I would agree that overall it would make more sense to use the ready-made, tested, secure ASP.NET Identity infrastructure. I don't know anyone using ASP.NET would bother to write their own login code these days :) – ADyson Aug 30 '19 at 08:55
  • @ADyson Thank you so much for your response! I don't need Asp.Net Identity. The site that I do for our consumers. I make a website so that consumers can find out their debt to our organization. In Login.cshtml is only one input field, in it the consumer enters his personal account, after entering in Info.cshtml shows the debt of the consumer. About checking the existence of the consumer I use the range in the input field from 30000 to 40000. – Nooruz Sep 02 '19 at 10:54
  • @ADyson From Login.cshtml successfully get enter account. After going to Info.cshtml obtained personal account will be deleted. – Nooruz Sep 02 '19 at 10:58
  • You might not **need** asp.net identity but since it provides a ready made and reliable login system it would probably save you some time and reduce the risk of security bugs in your application. I can't think of a good reason not to use it, unless you have some very unusual requirements (and even then, there are some extensibility points to assist with that) – ADyson Sep 02 '19 at 12:47
  • P.s. a system where the user must enter nothing except their account number in order to access their data does not sound secure at all. I don't know what country this is aimed at but in many countries, since you are dealing with financial data, you would likely be in breach of many regulations and even laws relating to data protection, use of financial data etc. There should be additional checks to verify the identity of the user and ensure they have not falsely obtained the account number – ADyson Sep 02 '19 at 12:50
  • P.p.s. I don't see how a range limit in the input field does anything to verify the user account exists. What happens if an account in that range is deleted or deactivated? Also it's trivial for a user with a bit of knowledge to disable or bypass checks which are made in a HTML form, and send a request direct to your server without validation. You must use validation on the server side as well. (And please understand that range validation is simply a bit of basic maths. It is **not** security or identity verification.). I think you need to seriously reconsider your approach to all of this. – ADyson Sep 02 '19 at 12:53

0 Answers0