0

I come from a PHP background and whenever I have created a login page and pages that require you to be logged in to see I have followed the approach found here:

How to check if a user is logged-in in php?

Which basically relies on creating a session and at the top of any page it checks if session exists and if not then it redirects back to the login page if session does not exist and if it does exist it continues to read the rest of the php code.

However, I am now trying to learn ASP.NET 3.1 and creating a web application using it. I have found a lot of resources on identity framework however that seems to have so much more than I really need when you compare what I was doing above in PHP which I assume is secure as is since no cookies are stored similar to what I see in most identity framework implementations.

I am not seeing any authentication examples similar to this PHP method in ASP.NET 3.1 where at the top of each razor page they check for session state and if it fails it redirects to the login page. I assume this should be a simple and secure method of doing this so why is it not as popular in ASP.NET Core? Also could you point me in the direction of a example of this being done if it is good practice similar to PHP. I will admit I found one example on Stackoverflow.com which I cannot seem to locate again where the user added a check for session function in the startup.cs file and indicated it would be bad practice but did not expand on it at all.

Irish Redneck
  • 983
  • 7
  • 32
  • I'll leave this here: https://stackoverflow.com/questions/48836688/what-exactly-is-useauthentication-for that will most likely answer some of your questions. – Marco Nov 10 '20 at 14:52
  • asp.net core tries to enforce good practices and discourage bad ones, so it's often not easy to find ways to do things "like in php" there. – Evk Nov 10 '20 at 16:25

1 Answers1

1

Sessions are volatile. They can be cleared on the server unpredictably for any one of a number of reasons. That's why the formal ASP.NET authentication frameworks are cookie-based. That is considered a more user-friendly way to deal with maintaining authentication credentials, rather than redirecting a user to the login page when they were in the middle of doing something.

You don't have to use Identity. You can validate a user against any store and issue cookies accordingly e.g: https://www.mikesdotnetting.com/article/335/simple-authentication-in-razor-pages-without-a-database

Mike Brind
  • 28,238
  • 6
  • 56
  • 88
  • So would you avoid using HttpContext.Session.SetString() in that case? – Irish Redneck Nov 23 '20 at 23:56
  • I wouldn't use it to store a user's authentication status. – Mike Brind Nov 24 '20 at 07:32
  • I am going to upvote your response as I was able to use that tutorial to create a login cookie. I do have one question though. Do these default authentication cookies come encrypted (when made persistent) and I’m assuming they store the username and password. How difficult would it be for someone to unencrypt these default authentication cookies made by asp.net core 3.1 identity? – Irish Redneck Nov 29 '20 at 15:46
  • Yes, they are encrypted. They don't contain the password. By default, ASP.NET Identity hashes the password before storing it so it can never be retrieved. The encryption is done using SHA256, I believe. – Mike Brind Nov 29 '20 at 16:29