Reputation: 827
How to handle both logged in and anonymous users for an action
I have a following scenario:
- I have an ASP.NET MVC website/webapp where almost all controllers are protected by
[AuthorizeAttribute] - I have introduced new pages (one new controller + some actions on it), which are available for both logged in users and for both anonymous users (I call them 'public' urls). For anonymous users we are using Session too for storing crucial data there (eg. identifying the anonymous user by some ID, etc). The
LayoutViewsetting for these 'public' actions are set whether the current user is authenticated (logged in) or not. If they are authenticated, then the wholechildView(displayed by the 'public' actions) is embedded into a master layout page which displays menu for the logged in users etc. The anonymous users have no menu, just the purechildviewpage.
My problem:
- if a logged in user times out, and tries to visit the aforementioned public-urls, then the page will handle him as a notloggedin-user (so as an anonymous user), so before she visits the new url she is presented with the logged-in interface, and after the click she is presented with an anonymous interface, which might scare her! I can not redirect her to /Account/Logon/RedirectUrI=whatever, because the url she is visiting is valid for not-logged-in users also.
The only solution I can think of is to introduce another controller/actions which call the same BLL logic as the current ones, but have [AuthorizedAttribute] on them. But this I'd like to avoid, because:
- it's a little bit of code duplication
- the url of the public pages would be different for a logged-in-user and for an anonymous user, and I'd like to keep them the same, so logged in users can copy-paste the urls whereever they like, to spread the word, and that url would be still capable of handling anonymous users.
Upvotes: 1
Views: 1245
Answers (1)
Reputation: 16038
When you want to keep one Url you have to use the same controller/action for anonymous and authenticated users.
Your problem is, that when a session times out, your authenticated user turns to an anonymous user and generates a new (anonymous) session.
What you can do to distinguish the real anonymous and the sometimes authenticated but now anonymous user is to send a special cookie to all users which had logged in one time in your app.
When such an authenticated usersession times out, the browser will send the cookie to your server and you can redirect him to the login page.
The real anonymous users browser won't send that cookie, so you can just display the page.
Upvotes: 2
Related Questions
- How to force only anonymous access to controller action?
- Allow a user to login/signin between actions
- Restricting access to controller actions for non logged in users in MVC 4
- Allow Anonymous to call certain action in asp.net mvc 3
- Allow anonymous access to controller action
- Using ASP.NET MVC Controller Action with authorized and unauthorized users
- How to restrict some views/actions to logged in users?
- Allowing anonymous access to MVC4 actions
- MVC3 authentication and anonymous users
- How to check in Asp.Net MVC controller's action if user is logged in