I am using following code for user authentication
Home Controller:
------------------
[AllowAnonymous]
[HttpPost]
public JsonResult JsonLogin(SecurityDTO usr)
{
var cnt = _ipres.CheckLoginCount(usr);
if (cnt == 1)
{
var logDet = _ipres.GetUser(usr);
if (logDet != null)
{
var dto = new SecurityDTO
{
Id = logDet.Id,
UserName = logDet.username,
Password = logDet.password,
Email = logDet.Emailid,
UTID = logDet.UTID,
};
Session[USER] = dto;
}
if (logDet != null)
{
switch (logDet.UTID)
{
case 1:
Session["UType"] = "admin";
return Json(new { success = true, redirect = Url.Action("Index", "Admin", new { area = "Admin" }) });
case 2:
Session["UType"] = "user";
return Json(new { success = true, redirect = Url.Action("Index", "User", new { area = "User" }) });
case 3:
Session["UType"] = "client";
return Json(new { success = true, redirect = Url.Action("Index", "Client", new { area = "Client" }) });
default:
Session["UType"] = null;
break;
}
}
}
else
{
ModelState.AddModelError("", "Invalid Username or Password");
}
return Json(new { errors = GetErrorsFromModelState() });
}
Base Controller:
------------------
public SecurityDTO UDTO { get; set; }
protected override void OnActionExecuting(ActionExecutingContext act)
{
if (Session["UType"] != null)
{
UDTO = (SecurityDTO)Session[HomeController.USER];
base.OnActionExecuting(act);
}
else
act.Result = RedirectToAction("Index", "Home", new { area = "" });
}
This works pretty well for authentication. After successful login I redirect the user to an area according to his user type. All controllers in area implement base controller. Lately I found this not effective because of following reason. When I logged in as user my url will be ~/AppName/User/User/ViewName. But when I do some tampering with url and change it as ~/AppName/Admin/Admin/ViewName it takes me to that page even though I am not an admin user. I am still logged in as user but I have access to all admin features. Basically when I change user type in url it considers me as that user type. But intended behaviour is to redirect the user to login page when url tampering occurs like this. Can I do something like recognising user type change in base controller and redirect the user to login page? please show the right way to do this... Thanks in advance.