I created a brand new ASP.NET MVC 5 project to test the [Authorize]
attribute with FormsAuthentication.SetAuthCookie
. I simply set a cookie in one action (in my Home controller):
public ActionResult About() { FormsAuthentication.SetAuthCookie("someUser", false);
And I limit access to another:
[Authorize] public ActionResult Contact() {
When I launch my web page and navigate to /home/contact
, I am correctly redirected to a login page. Then I go to /home/about
, get my cookie, and go back to the contact page. But I'm still redirected to the login page -- the cookie does not authenticate/authorize me.
In the debugger, HttpContext.User.Identity.IsAuthenticated == false
when I load the About page multiple times (that is to say, it never sees me as being authenticated even after setting an auth cookie).
Is there some extra step that must be done here? I shouldn't need to set my own IPrincipal for basic authentication, should I?
Usage. Then you can start using [Authorize] attribute in Controller and Action methods. [Authorize(Roles = "Power Users")] public class UsersController : Controller { // ... }
The SetAuthCookie method adds a forms-authentication ticket to either the cookies collection, or to the URL if CookiesSupported is false . The forms-authentication ticket supplies forms-authentication information to the next request made by the browser.
from web.config remove:
<modules> <!--<remove name="FormsAuthenticationModule" />--> </modules>
or simples remove the line in web.config
EDIT: I did not know MVC5 defaulted new projects to having Forms Authentication removed (the module is removed) so make sure you also check DSR's comment under your originial post in conjuncture with all of this.
Check your web.config and look for the authentication section, it should look something like this,
<authentication mode="Forms"> <forms loginUrl="..." cookieless="UseCookies" /> </authentication>
http://msdn.microsoft.com/en-us/library/1d3t3c61%28v=vs.85%29.aspx
The default cookieless value is "UseDeviceProfile" which means that cookies are used if the browser reports that it supports cookies, otherwise cookies are not used and it uses values in the querystring to maintain an authenticated state (which need to be retained accross postbacks).
Secondly, make sure cookies are on in your browser. If the device/browser does not support cookies or they are turned off then SetAuthCookie will make changes to the url, but you have to redirect the browser after the call to SetAuthCookie using...
FormsAuthentication.RedirectFromLoginPage(String, Boolean)...
That method redirects the page to it's destination after authentication with SetAuthCookie. RedirectFromLoginPage will put the required attributes in the url query to maintain the login session accross postbacks. If you do your own redirects on the site here and there you will need to maintain that url query parameter accross postbacks your self by checking if the current user is authenticated with HttpContext.Current.User.Identity.IsAuthenticated.
In order to send your users to the login page you should be using
FormsAuthentication.RedirectToLoginPage()
That method will add a returnUrl parameter to the query string, which the later function "RedirectFromLoginPage" will redirect back to after being authenticated.
If you block access to users or roles with location elements in your web.config to paths and resources Forms Authentication handles the redirection to the login page automatically when an un-authenticated user attempts to access them.
<location path="SomeFolderOnYourSite"> <system.web> <authorization> <deny users="?"/> <allow roles="Administrators"/> </authorization> </system.web> </location>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With