Custom Authentication and ASP.NET MVC

Question

I have an internal web app being built in ASP.NET 4. We are stuck with using an authentication API built by another team. If a user to the site is authenticated successfully for the site I would like to give them access to the entire site.

In ASP.NET WebForm days I just used to keep a custom User object in session. If that object was null I knew the user wasn't authenticated. Is there a similar but improved method for this in MVC. I don't want to have to build my own provider of the ASP.NET Membership model if possible. What is the simplest way of doing this?

Answer 1

You can use Forms Authentication in conjuction with Authorize attibute as follows,

To restrict access to a view :

Add the AuthorizeAttribute attribute to the action method declaration, as shown below,

[Authorize] public ActionResult Index() {     return View(); } 

Configuring Forms Authentication in web.config

<authentication mode="Forms">      <forms loginUrl="~/Account/Login" timeout="2880" /> </authentication> 

Login Post Action: Set Authentication cookie if user is valid

[HttpPost] public ActionResult Login(User model, string returnUrl) {         //Validation code          if (userValid)         {              FormsAuthentication.SetAuthCookie(username, false);         } } 

Log off Action:

public ActionResult LogOff() {     FormsAuthentication.SignOut();     return RedirectToAction("Index", "Home"); }