C#, ASP.NET - Restricting Access to Controller Methods

Question

I'm constructing an ordering system of sorts that requires users to log in before proceeding to the main ordering part of the website. For example, I have a login controller that (if the user exists in the database) assigns their ID and UserName to a session.

public ActionResult Login(AccountAccess userObj)
{
    if (ModelState.IsValid)
    {
        using (SC_DBEntities db = new SC_DBEntities())
        {
            var accountObj = db.Users_Account.Where(u => u.Account_UserName.Equals(userObj.Account_UserName)).FirstOrDefault();
            if (accountObj != null)
            {
                var accessObj = db.Users_Access.Where(a => a.Account_ID.Equals(accountObj.Account_ID) && a.Access_Password.Equals(userObj.Access_Password)).FirstOrDefault();
                if (accessObj != null)
                {
                    Session["Account_ID"] = accountObj.Account_ID.ToString();
                    Session["Account_UserName"] = accountObj.Account_UserName.ToString();
                    return RedirectToAction("Index", "Home");
                }
            }
        }
    }
    return View(userObj);
}

What I want to do from here is block out access to other method actions if that Session is null. So for example, if they want to access the products page but they are not logged in, the will be redirected to the login page.

I'm still reasonably new to ASP.NET so if there is a more efficient way of achieving this effect other than Sessions, please let me know.

Answer 1

Could you not use a ActionFilterAttribute?

    public class CheckSession: ActionFilterAttribute
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
           var MySession = HttpContext.Current.Session

           if(MySession["Account_ID"] == null || MySession["Account_UserName"]== null)
           {
              filterContext.Result = new RedirectResult(string.Format("/Account/"));
           }  
        }
    }

Then all you have to do is put it on your controller action - Can also put it on the controller to check all inside that controller:

[CheckSession]
public ActionResult Purchase()
{
 ....
}

Answer 2

To achieve what you want for a controller or a specific action, you should use custom filter or attributes ( In your case authorization attribute ).

Please have a look to this good tutorial to begin : https://www.codeproject.com/articles/577776/filters-and-attributes-in-aspnet-mvc

After that, you just need to google : authorization attribute asp.net mvc

Answer 3

Based on your comment, you can use Sessions for the purpose you are asking for. Assuming when a user logins, you store, say a username and their ID like you do above. If you want to make sure someone is logged in before running an action just check to see if those Session variables are null nor not.

Going along with your Login Controller Code, suppose you have a purchase Controller Action:

public ActionResult Purchase()
{
    //Check to see if these values have been assigned via Login Controller Action
    if(Session["Account_ID"] == null || Session["Account_UserName"] == null)
    {
         //If so, redirect to Controller Action where user can log into.
         RedirectToAction("Index", "Account")
    }
    else
    {
         //Make Purchase occur.
    }
}

Identity is a newer and better login system, but has a pretty big learning curve in my experience. Once you become more familiar with Sessions, I'd recommend to begin looking into Identity for future projects. Nothing "wrong" with Sessions, so for your purpose, the above code should work for actions you want users to be logged in to use.