Using ASP.Net Forms and ASP.Net MVC 3 (combined - we are in process of changing Web Forms to MVC), I have a scenario where a person authenticates (user name / password) but due to a specific condition existing on their account, they are required to change their password before proceeding.
Since the user is already authenticated, is there a global location where I can prevent any access to the portions of the site that require authentication until they enter their new password? I understand that there might have to be 2 locations (one for Web Forms, the other for MVC).
In Application_AuthenticateRequest check for the specific condition. If not met (ie they must change pwd), redirect to the proper page. This should work for MVC and WebForms.
You could have a custom RoleProvider that uses a flag in the user class to determine if the password needs to be changed before validating the role for a user.
I'd put it as a property in the User model (i.e. public bool ChangedPassword {get;set;}). This will be set as False when the user is created, and set as True when the user changes the password. Before any protected action, check if ChangedPassword == True.
Related
In MVC5 asp.net - Is there a way to allow user login only if the user has a particular claim in the user database? I'd like to assign a "CanLogin" claim to users in my user database that are allowed to log in at any given time. By removing the "CanLogin" claim, I could effectively lock the users out of the system until further notice.
This would have to work for a first time login as well as cookie login at a later stage if the user has checked "remember my login".
Using authentication filter, you can check the identity.claims property to validate whatever claims are present in the context.
The claims must be added during the login process
Then you can check whether a particular user is enabled or not.
However, if the user database is self maintained, you can just set a disabled flag and then reject the login request, instead of returning such a claim.
The claims are used for Authorization to a particular functionality rather than Authentication to an app. A valid user will have certain claims which can tell what all the user is permitted to do.
I'm trying to use the Authorize attribute on MVC 4 application,
[Authorize(Roles = "Administrator, Super-User")]
public JsonResult Remove(int id)
{
.
.
.
}
I know that only the roles "Administrator" and "Super-User" roles are authorized to execute the method Remove, but how I can set the role to the actual User of the application?
The answer is - somehow, so that HttpContext.Current.User is set and the IsInRole method returns true.
The easiest way to do this would be to follow one of built-in mechanisms of authentication/authorization: Forms authentication or Windows authentication.
The former requires that the request carries a valid forms cookie issued by the server. The latter requires that the request principal can be authenticated in the domain controller.
You are however free to implement a custom authentication module.
If you are just starting to learn this, probably you'd like to use Forms Authentication for this. Just let your users log in, issue the cookie and the cookie will automatically be carried by subsequent ajax request (assuming your server code is called from within javascript client-side ajax call).
You can Add the current user to a role using
Roles.AddUsersToRole(new string[]{HttpContext.Current.User.Identity.Name}, "Admin");
Roles class is available in System.Web.Security namespace.
if you want to add users and Roles
-Open your solution in Visual Studio
goto project->ASP.NET configuration->Security Tab
You can add a user to roles using a Role Provider.
var rolesProvider = (SimpleRoleProvider)Roles.Provider;
Check the role exists
if (!rolesProvider.RoleExists("SuperUser"))
{
rolesProvider.CreateRole("SuperUser");
}
Check if the user is in the role already, if not, add the user to the role
if (! rolesProvider.IsUserInRole("JohnSmith", "SuperUser"))
{
rolesProvider.AddUsersToRoles(new[] {"JohnSmith"}, new[] {"SuperUser"});
}
I have an ASP.Net application that makes use of Forms authentication. I have two folders that are "protected" for administrators and registered users. I want to have two different login pages based on whether the user is trying to access the /admin/ or /members/ folder. Based on my understanding there can only be one login page configured in the web.config when using Forms based authentication?
At the moment I am using code to identify which "mode" the login page should display as on the page load of the login page. Below is a snippet of this code to convey the approach I am using:
Select Case GetRootFolderName(Request.QueryString("ReturnUrl"))
Case "members"
Return PageModes.Merchants
Case "admin"
Return PageModes.Admin
Case Else
Throw New Exception("Invalid protected folder")
End Select
Ideally I would like to have two separate login pages. Is this possible?
You can have as many login pages as you want, and style them up as you see fit. The underlying membership provider will still return the same authentication token (usually as a cookie) whatever login page you used.
I'm trying to get forms authentication working for an mvc site. I have a custom database with a users table, and I would like to do my own password validation.
I am logging in my user like this:
if (PasswordHasher.Hash(password) == dataUser.Password)
{
FormsAuthentication.SetAuthCookie(email, true);
return true;
}
The problem is, when the session expires obviously the user has to login again.
I am thinking I should be storing this Auth cookie in my users table?
Update: I'm obviously in desperate need of more education in this area. I just noticed that the user stays authenticated even after an iisreset.
I guess what I'm asking is how can I get persistent and non persistent authentication working properly. I want a user to not have to login again if they click "remember", and if they don't then their authentication should expire when the forms authentication is set to expire.
Turns out I forgot to put my variable in the second argument of the SetAuthCookie method. It was always sending true for the "persistent" argument. FML.
I'd recommend implementing a custom Membership Provider so you can leverage the existing controls or patterns that are out there for the existing membership providers.
Am trying to design login page for my website and I am looking for methods other than forms authentication. The way in which I am trying is to have a table in the database that stores user information and check for the user validity.
The point where I get struck is how do i set cookies and session variables and how will I carry it through out the system. Can anyone tell/suggest me where I can relevant material so as to move forward. And also is my idea of negating traditional forms authentication and going for a model I described, is it good also does any other better method exist?
You can do this even with forms authentication itself...
For Forms Authentication to work, you need not have to use the Complete Database Setup that MS uses to Authenticate. You can simply have your own Database and Validate a user yourself, and just set the cookie.
String UserName = "CoolGuy";
String PassWord = "Pwd"
Boolean isValidUser = YourClass.YourMethod(UserName, PassWord);
if (isValidUser)
{ FormsAuthentication.setAuthCookie(UserName, false); }
This will authenticate the user "CoolGuy" for the session, provided YourMethod returns true. And you need to put this code only in Login Page... and the user will automatically be authenticated for the entire session or whatever...
Please see my response to another similar question here... ASP.NET access controls