CODEWITHSUNDEEP
asp.net-mvc-5forms-authentication
Kumar
Kumar

Reputation: 41

Why my Authorize Action Method is Anonymous in MVC 5

AccountController

This is my Account Controller and i have a User Model from where i just gonna fetch Email and Password.

public ActionResult Login(User model, string ReturnUrl)
{
    using(DbAccess db=new DbAccess())
    {
       var user=db.users.Where(m => m.email == model.email && m.password == model.password).FirstOrDefault();
       FormsAuthentication.SetAuthCookie(user.username,user.RemmemberMe);
       if (string.IsNullOrEmpty(ReturnUrl))
       {
           return RedirectToAction("Index", "Home");
       }
       else
       {
           return Redirect(ReturnUrl);
       }     
    }
}

HomeController

Here you can see this is Home Controller where i use allow anonymous attribute on whole controller but About Action Method has Authorize attribute...

[AllowAnonymous]
public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }
    [Authorize]
    public ActionResult About()
    {
        ViewBag.Message = "Your application description page.";
        return View();
    }

    public ActionResult Contact()
    {
        ViewBag.Message = "Your contact page.";
        return View();
    }
}

WebConfig

This this my web.config file...

<authentication mode="Forms">
  <forms loginUrl="~/Account/Login"></forms>
</authentication>

Now the problem is when i'm login then i can access all the Action Methods either they are Anonymous or Authorize ,what i expected but when i logout and i redirected to Login page than when again i try to access Authorize Action Method than yeah it redirect me to that Method i mean it accessed by unauthorized user.

Further I have cleared browser full history with cookies etc but its not working for me

Upvotes: 0

Views: 853

Answers (1)

vivek
vivek

Reputation: 1605

As stated by Rick Anderson at MSDN Blog, please read it for more details.

In MVC, by default all controllers + actions are accessible to all users, both authenticated and guest. To secure controllers or actions, the Authorize attribute has been provided.

You need to do the opposite. Secure all the application controllers as well as action method and AllowAnonymos on those controller actions which can be accessed by anyone logged in user or anonymous user.

Your modified code should look like this.

public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }
    [Authorize]
    public ActionResult About()
    {
        ViewBag.Message = "Your application description page.";
        return View();
    }

    public ActionResult Contact()
    {
        ViewBag.Message = "Your contact page.";
        return View();
    }
}

Upvotes: 1

Related Questions