Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Set HttpContext.User for the session

I've implemented custom authentication in ASP.NET MVC. If a valid user tries to login, I set the HttpContext.User = user in the Logon method of the AccountController. But it remains there for only that request. How can I set it for the session?

I used an alternative, set HttpContext.Session["CurrentUser"] = user. If I want to see if the session is authorized, I'd have to check that the HttpContext.User != null. But, I don't want to expose the authentication logic everywhere in the application. If I need to change that, it'd be messy.

Please help me solve this. One solution could be populating the HttpContext.User property of every request with the value of HttpContext.Session["CurrentUser"] at the beginning, but I don't know how to do it.

like image 828
Abdulsattar Mohammed Avatar asked Jan 24 '10 05:01

Abdulsattar Mohammed


People also ask

What is HttpContext user?

The User property provides programmatic access to the properties and methods of the IPrincipal interface. Because ASP.NET pages contain a default reference to the System. Web namespace (which contains the HttpContext class), you can reference the members of HttpContext on an .

What is a HttpContext session?

An ASP.NET application that has session state enabled. A Web Forms page class that has access to the Page. Session property, or any class that has access to the HttpContext.

What is the difference between session and HttpContext current session?

There is no difference. The getter for Page. Session returns the context session.


2 Answers

Write the following method in the Global.asax's Application class

protected void Application_BeginRequest(Object sender, EventArgs e)
{
   HttpContext.Current.User = HttpContext.Session["CurrentUser"];
}

or you can use the "User" property of System.Web.Mvc.Controller that is inherited to your controllers (note: be sure to call FormsAuthentication.SetAuthCookie method when successfully validate your user login).

like image 158
Alex LE Avatar answered Oct 20 '22 23:10

Alex LE


The best way to do this is to write a custom authentication module and to hook it into your application. This module will execute before any request and will have a chance to set the HttpContext.User property as appropriate.

For example, consider the Forms Authentication module. Before your HTTP handler runs (be it an .aspx page, the MVC pipeline, etc.), it has a chance to intercept the request. It reads the value of a login cookie, decrypts and verifies the encrypted cookie value, and sets HttpContext.User if the checks pass. That way, when the handler runs and actually processes the request, the User property has already been set correctly.

In the end, what this will look like is that you don't need a custom authorization attribute on ASP.NET, as the [Authorize] attribute already provided in-box should work automatically with your custom authentication module. However, your AccountController.LogOn() method (or whatever you use in lieu of this) will need to communicate with the appropriate authentication provider that generates the token that will be validated by the authentication module. This should be the only place you'd need to write code different than what is provided in-box.

See http://social.msdn.microsoft.com/Search/en-US?query=http%20modules and http://social.msdn.microsoft.com/Search/en-US?query=custom%20authentication%20asp.net for more information.

like image 38
Levi Avatar answered Oct 21 '22 01:10

Levi