Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET MVC Forms authentication - How it works and persists authentication?

I'm working on a site that uses Forms Authentication. I was interested in how the authentication system was working, since when I initially open any page in the site, it redirects me to a login, and none of the controllers/actions have any authorization logic placed in them.

  • Via the configuration below, does MVC or ASP.NET automatically determine if you're authenticated? (Like I said, there is no code in the controllers to "redirect" or make sure that the user is authorized.
  • If ASP.NET handles this, in what situations do you need to authorize your actions/controllers? (i.e. [Authorize] attribute)
  • How does forms authentication work? I'm especially interested in how the "authorization" is persisted? (i.e. cookies??)

Websites web.config Technology: MVC 3, Entity Framework 4.1 (Code first), ASP.NET 4

<configuration>
<system.web>
        <authentication mode="Forms">
          <forms loginUrl="~/Account/Index" timeout="2880" />
        </authentication>

        <membership defaultProvider="CodeFirstMembershipProvider">
          <providers>c
            <clear />
            <add name="CodeFirstMembershipProvider" type="Vanguard.AssetManager.Services.Security.MembershipService" applicationName="/" />
          </providers>
        </membership>

        <roleManager enabled="true" defaultProvider="CodeFirstRoleProvider">
          <providers>
            <clear />
            <add name="CodeFirstRoleProvider" type="Vanguard.AssetManager.Services.Security.RoleService" applicationName="/" />
            <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
          </providers>
        </roleManager>

      </system.web>

      <location path="Admin">
        <system.web>
          <authorization>
            <allow roles="Admin" />
            <deny users="*" />
          </authorization>
        </system.web>
      </location>


      <location path="Content/packages">
        <system.web>
          <authorization>
            <allow roles="Admin" />
            <deny users="*" />
          </authorization>
        </system.web>
      </location>

      <location path="Home">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
      </location>

      <location path="CheckIn">
        <system.web>
          <authorization>
            <allow roles="CheckIn, Admin" />
            <deny users="*" />
          </authorization>
        </system.web>
      </location>

      <location path="Assignment">
        <system.web>
          <authorization>
            <allow roles="Assignment, Admin" />
            <deny users="*" />
          </authorization>
        </system.web>
      </location>
<configuration>

The site uses MVC areas, which I assume is what the section refers to.

like image 226
contactmatt Avatar asked Aug 25 '12 22:08

contactmatt


People also ask

How does MVC authorize work?

The Authorize Attribute In ASP.NET MVC, any incoming request is bound to a controller/method pair and served. This means that once the request matches a supported route and is resolved to controller and method, it gets executed no matter what.

How does ASP.NET authentication work?

Forms authentication flow: When a user requests a page for the application, ASP.NET checks session cookie. If the cookie exists and valid, ASP.NET assumes the user is authenticated and processes the request. If session cookies does not exists or not valid then it redirect to login form.


1 Answers

Via the configuration below, does MVC or ASP.NET automatically determine if you're authenticated? (Like I said, there is no code in the controllers to "redirect" or make sure that the user is authorized.

Yes, it uses the <location> section in your web.config to allow only users that have the Admin role to access the /Admin/* path.

If ASP.NET handles this, in what situations do you need to authorize your actions/controllers? (i.e. [Authorize] attribute)

In ASP.NET MVC using the [Authorize] attribute is the prefered method to control which actions need authorization instead of using the <location> tag in your web.config as you did. The reason for this is that ASP.NET MVC uses routing and you shouldn't be hardcoding paths in your web.config which is what happens with the <location> section. So always use the [Authorize] attribute to decorate controllers/actions that require authentication.

How does forms authentication work? I'm especially interested in how the "authorization" is persisted? (i.e. cookies??)

Cookies, yes. You might also checkout the following article on MSDN which explains how Forms Authentication works.

like image 126
Darin Dimitrov Avatar answered Nov 15 '22 15:11

Darin Dimitrov