Mvc forms authentication

Question

0.00/5 (No votes)

See more:

I'm new in MVC Authorization and Authentication. I'm building a login page that when users successfully logs in they'll be redirected to "About" page then inside about page there are other links that point to pages that needs authorization as well for the same user.

Do i have to specify the [Authorize] in all ActionResult methods or not?

If so, wont the user be requested to sign in everytime they click the link for that particular page?

I obviously want the user to sign in once, but when i decorate the other ActionResult method with authorize i get redirected to Login page even when the cookie is set.

Im using FormsAuthentication.

Can someone please tell me what I'm doing wrong?

What I have tried:

Public ActionResult Login ()
{
    /*
       If loggin succeeds redirect to about page
     */
}
[Authorize]
Public ActionResult About()
{
   
}
[Authorize]
Public ActionResult Other()
{

}

Posted 23-Aug-17 8:07am

Stan_ZA

Updated 23-Aug-17 11:57am

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

David_Wimbley · Accepted Answer · 2017-08-23T11:57:00

Im going to make an initial assumption that you are using MVC 4 or greater.

To address your questions first, you should only use the [Authorize] attribute on your controller Actions if you have to be logged in in order to view whatever data/page that action serves. So in your case, if you want the user to be logged in to your app in order to view the About page, then yes this needs the Authorize Attribute along with every page that you require the user to authenticated to view.

Another note, there is even an attribute [AllowAnonymous] that you can decorate actions of your controller that explicitly says users who are not logged in have the ability to view the data/page of the targeted action.

So reason for my assumption, when creating a brand new MVC project in visual studio, if you make the proper project selections you should end up creating a initial application that provides register user, login, account management and ability to view some pages anonymously vrs a requirement of being logged in to view other pages.

If you are trying to do this all from scratch (im guessing yes since as I understand your question you say that anytime they click a link that has Authorize attribute on it, they are required to log in which means the auth cookies are not being set).

Since you are learning I would highly recommend you use the boiler plate application that is auto generated as a new project and build on top of that. I think what i reference can be seen here, only skimmed over this link: MVC and Identity Framework 2.0[^]

By using the project generated by visual studio you bypass the need of having to code all the back end plumbing that is required to properly handle authentication which includes persisting sessions to not require logging in every time they click an action decorated with the [Authorize] attribute.

Some further links I would encourage you to look into for MVC authentication.

Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute – RickAndMSFT on Azure & MVC[^]

ASP.NET Identity | The ASP.NET Site[^]

ASP.NET MVC and Identity 2.0: Understanding the Basics[^]