Reputation: 2024
MVC Not holding on to authentication
I have two apps I'm working on. Both of them need to use both Windows authentication and anonymous access. so to do this, I edited the web.config to get rid of the authorization tag (with "deny users="?"") and only tagged a few actions with my custom authorization attribute. the trouble is, the server is "forgetting" me. so for instance, on the first app, one user reports that she has to attempt to access the control panel every other time she wants to edit. On the second one, I click login, I'm logged in, and then I click any other link (especially "save") and I'm logged out.
here's one of my custom authorization attributes:
public class AccountsAuthorizeITAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if(httpContext.User.Identity.IsAuthenticated == false)
{
return false;
}
if(httpContext.User.IsInRole("CT-IT"))
{
return true;
}
return false;
}
}
and to log in, I just have this in my _layout:
@Html.ActionLink("Login", "Login", "Login", new { returnURL = HttpContext.Current.Request.RawUrl }, null)
with this login controller:
public class LoginController : Controller
{
[AccountsAuthorizeIT]
public ActionResult Login(string returnURL)
{
return Redirect(returnURL);
}
}
What could cause this? Shouldn't my authentication be stored in the session variable, saved for (roughly) as long as the browser window is open? Do I need to tell the server to remember my data?
Upvotes: 0
Views: 212
Answers (1)
Reputation: 62270
Shouldn't my authentication be stored in the session variable, saved for (roughly) as long as the browser window is open? Do I need to tell the server to remember my data?
I personally like to store them in Principle object as Claim using OWIN Cookie Middleware.
Here is the sample code. roleNames could be user's assigned Active Directory Group.
public void SignIn(User user, IList<string> roleNames)
{
IList<Claim> claims = new List<Claim>
{
new Claim(ClaimTypes.Sid, user.Id.ToString()),
new Claim(ClaimTypes.Name, user.UserName),
new Claim(ClaimTypes.GivenName, user.FirstName),
new Claim(ClaimTypes.Surname, user.LastName),
};
foreach (string roleName in roleNames)
{
claims.Add(new Claim(ClaimTypes.Role, roleName));
}
ClaimsIdentity identity = new ClaimsIdentity(claims, AuthenticationType);
IOwinContext context = _context.Request.GetOwinContext();
IAuthenticationManager authenticationManager = context.Authentication;
authenticationManager.SignIn(identity);
}
Startup.cs
Then you register OWIN Cookie Middleware at start up.
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "ApplicationCookie",
LoginPath = new PathString("/Account/Login")
});
}
}
If you store them in Principle object, you won't even need custom attribute AccountsAuthorizeITAttribute.
Upvotes: 1
Related Questions
- User isn't authenticated after successful login
- Windows authentication not working asp.net mvc showing null
- ASP.NET MVC Windows Authentication refusing to work
- MVC Windows Authentication
- MVC5 Forms authentication not working
- Why won't my forms authentication stay logged in?
- Forms authentication on MVC always redirects to logon
- asp.net mvc authentication only works when debugging
- ASP.NET MVC 2 using Authentication
- ASP.NET MVC 2 authorization problem