Manage 2 levels of authentication with Asp.Net Identity 2.0

Question

I'd like to be able to manage 2 levels of authentication for my asp.net app users. The idea is that users could login permanently with a "remember me" option and access some user pages without very sensitive data, but they would have to re-enter their login/password each time they want to access some other pages (like their payment information). This authentication for secured pages would be for the session only. Off course, I could do that manually by handling another cookie and let Identity take care of the permanent one, but maybe there's a way to do this with Identity only.

You can have an idea of what I'm trying to achieve with amazon website. You can login permanently and then you're always welcomed by your first name on the site, you can see your recommendations, ect... but if you want to access your account or buy something, you have to enter your login/password (and then it's valid for the session only).

Thanks !

Answer 1

You can setup two login cookies to represent this, your normal login page uses the default identity application cookie. But your more secure page creates a different cookie that is only used for your super secure area.

Here's how you add a different CookieMiddleware for this purpose:

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "SuperSecureMode",
            AuthenticationMode = AuthenticationMode.Passive
        }

You can store your cookie like this after you've reverified the credentials (you will want to add at a minimum the user id so you can verify that later):

HttpContext.GetOwinContext().Authentication.SignIn(new ClaimsIdentity("SuperSecureMode"));

And on your super secure pages, you'll want to authenticate and fetch the user id out of the claims identity.

HttpContext.GetOwinContext().AuthenticateAsync("SuperSecureMode");