Click here to Skip to main content
15,879,535 members
Search within:


mvc c# url change makes me signed in as another user, how to prevent this?
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
MVC
I am using following code for user authentication

C#
Home Controller:
    ------------------
    [AllowAnonymous]
    [HttpPost]
    public JsonResult JsonLogin(SecurityDTO usr)
    {
        var cnt = _ipres.CheckLoginCount(usr);

        if (cnt == 1)
        {
            var logDet = _ipres.GetUser(usr);
            if (logDet != null)
            {
                var dto = new SecurityDTO
                {
                    Id = logDet.Id,
                    UserName = logDet.username,
                    Password = logDet.password,
                    Email = logDet.Emailid,
                    UTID = logDet.UTID,
                };
                Session[USER] = dto;
            }
            if (logDet != null)
            {
                switch (logDet.UTID)
                {
                    case 1:
                        Session["UType"] = "admin";
                        return Json(new { success = true, redirect = Url.Action("Index", "Admin", new { area = "Admin" }) });
                    case 2:
                        Session["UType"] = "user";
                        return Json(new { success = true, redirect = Url.Action("Index", "User", new { area = "User" }) });
                    case 3:
                        Session["UType"] = "client";
                        return Json(new { success = true, redirect = Url.Action("Index", "Client", new { area = "Client" }) });
                    default:
                        Session["UType"] = null;
                        break;
                }
            }
        }
        else
        {
            ModelState.AddModelError("", "Invalid Username or Password");
        }

        return Json(new { errors = GetErrorsFromModelState() });
    }

    Base Controller:
    ------------------
    public SecurityDTO UDTO { get; set; }

    protected override void OnActionExecuting(ActionExecutingContext act)
    {
        if (Session["UType"] != null)
        {
            UDTO = (SecurityDTO)Session[HomeController.USER];
            base.OnActionExecuting(act);
        }
        else
            act.Result = RedirectToAction("Index", "Home", new { area = "" });
    }


This works pretty well for authentication. After successful login I redirect the user to an area according to his user type. All controllers in area implement base controller. Lately I found this not effective because of following reason. When I logged in as user my url will be ~/AppName/User/User/ViewName. But when I do some tampering with url and change it as ~/AppName/Admin/Admin/ViewName it takes me to that page even though I am not an admin user. I am still logged in as user but I have access to all admin features. Basically when I change user type in url it considers me as that user type. But intended behaviour is to redirect the user to login page when url tampering occurs like this. Can I do something like recognising user type change in base controller and redirect the user to login page? please show the right way to do this... Thanks in advance.
Posted
Updated 11-Jun-13 19:36pm
v2
Add a Solution
Comments
Jameel VM 12-Jun-13 2:04am    
did you try Custom Authorization in ASP.NET MVC?

1 solution

The problem is because when the user trying to a access particular action which is only access to admin, there is no authorization you done.So try to authorize all the controller or ActionResult..Try the below links for more information.
http://stackoverflow.com/questions/1148312/asp-net-mvc-decorate-authorize-with-multiple-enums[^]
http://www.tsjensen.com/blog/post/2010/10/16/ASPNET+MVC+Custom+Authorize+Attribute+With+Roles+Parser.aspx[^]
Hope this helps
 
Share this answer
 
Posted
v2
Comments
abkcareer 12-Jun-13 2:33am    
thanks for answer Jameel, i will try them out..
Jameel VM 12-Jun-13 2:38am    
always welcome...
abkcareer 12-Jun-13 3:03am    
Ugh!! Is there any simpler way Jameel? My code not using any enums. As you said I just need to authorize the user whether he has the permission to go to that action, otherwise show him login page. Is there something I can do in Base controller and prevent pagewise authorization. Thanks again...
Jameel VM 12-Jun-13 3:10am    
Else you need to check the condition in every controller..I think that is not a good practice..Please create your own custom authorization and do the same logic that you have done in the login page.
Jameel VM 12-Jun-13 3:12am    
the pblm with your current implementation is that the user can browser any url directly..there is no authorization you made.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Prevent a User from making changes to a web URL
How to prevent user from changing url
How do I change navigation when user is signed in?
Single Sign On in MVC 4
Mvc Login Url Error
Prevent focus change from textbox
URL tampering - prevent unauthorized page.
Mvc app session problem on url change
How to prevent user from enter special character in URL
Will signing an executable prevent SmartScreen from warning the user?

Advertise
Privacy
Cookies
Terms of Use
Last Updated 12 Jun 2013
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900