1

I need the best ways to do role based menu navigation. My application is in Asp.net core MVC and I have used cookie-based authentication. And I am using claims identity.

aminography
  • 21,986
  • 13
  • 70
  • 74
Poonam Londhe
  • 11
  • 4
  • Please provide a small reproducable code example or any clue to what problems you are facing. – Stefan Nov 19 '19 at 11:32
  • I am creating AuthenticationTicket after login functionality, But unable to find best way to verify this ticket. Also not sure if this is the best way to load the menu bar. Need to know best way possible to do user validation and menubar navigation based on Cookie authentication. – Poonam Londhe Nov 21 '19 at 07:03

1 Answers1

0

If you're using cookie authentication for asp.net core that means on each request you need to validate user role. Based on what role is defined in cookie in your view you show certain things. Here is how you create cookie:

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
                        1, //ticket version
                        person.username,
                        DateTime.Now,
                        DateTime.Now.Add(new TimeSpan(2, 0, 0)),
                        true, //persistent cookies
                        "Administrator",// <---ROLES // 
                        FormsAuthentication.FormsCookiePath
                    );


string hashedTicket = FormsAuthentication.Encrypt(ticket);

HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashedTicket);

HttpContext.Response.Cookies.Add(cookie);

return RedirectToLocal(returnUrl);

Add that to your login/ signup mechanism

Then in your global.asax you should have following method :

protected void Application_AuthenticateRequest(object sender, EventArgs e)
    {
        // look if any security information exists for this request
        if (HttpContext.Current.User != null)
        {
            // see if this user is authenticated, any authenticated cookie (ticket) exists for this user
            if (HttpContext.Current.User.Identity.IsAuthenticated)
            {
                // see if the authentication is done using FormsAuthentication
                if (HttpContext.Current.User.Identity is FormsIdentity)
                {
                    // Get the roles stored for this request from the ticket
                    // get the identity of the user
                    FormsIdentity identity = (FormsIdentity)HttpContext.Current.User.Identity;
                    //Get the form authentication ticket of the user
                    FormsAuthenticationTicket ticket = identity.Ticket;
                    //Get the roles stored as UserData into ticket
                    string[] roles = { ticket.UserData };


                    //Create general prrincipal and assign it to current request

                    HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(identity, roles);
                }
            }
        }
    }

Then in your view when you want to show certain html to admin add this:

@if (User.IsInRole("Administrator"))
{
     <li>
         <a href="@Url.Action("Index","Main",new { Area = "Admin" })">Admin</a>
     </li>
     <li>
         <a href="#" onclick="showpencil()">Edit</a>
     </li>
}

Small update If you want to filter out access in controllers just add: 

[Authorize(Roles = "Administrator")]

on class level if you want to limit all methods or add it just above single method if you want to limit only that method.

Darko
  • 89
  • 1
  • 7
  • Thanks Darko for detailed answer. I am using Asp.Net core with MVC So instead of FormsAuthentication cookie, I am using AuthenticationTicket as - authTicket = new AuthenticationTicket(principal, props, CookieAuthenticationDefaults.AuthenticationScheme); Rest of the code I will use as a reference. thanks again – Poonam Londhe Nov 21 '19 at 06:54