ASP.Net MVC: How unauthorize access redirect user to login page

T.Zacks 3,986 Reputation points
2022-08-11T06:32:27.51+00:00

suppose i am developing a site with ASP.Net MVC core. i have created a empty project where i add two controller.
one is Home and login controller.

Home controller's index action is not protected by Authorized attribute but Home controller's product action is protected.

when user try to access product action then user should be redirected to login page if not signed in. so tell me how to setup project in classic mvc or mvc core where i will mention that user should be redirected to login page if user is not signed in.

i will not use identity rather i will check user credentials from db using ado.net.

please guide me step wise that what i need to follow. Thanks

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,189 questions
0 comments
Accepted answer
  1. AgaveJoe 26,136 Reputation points
    2022-08-11T11:30:34.543+00:00

    Browser based applications like MVC use cookie authentication. Keep in mind, cookie authentication and Identity are two different APIs. Cookie authentication is the subject I'll use going forward.

    In ASP.NET MVC the cookie authentication library is embedded in the HTTP pipeline and turned on through configuration. The cookie authentication library contains a default redirect login URL but you get to configure the redirect URL in code or configuration depending in the version. In the old days it was called forms authentication the newer version is an OWIN library.

    An Overview of Forms Authentication (C#)
    A primer on OWIN cookie authentication middleware for the ASP.NET developer

    In ASP.NET Core, you get to pick and choose what middleware your application uses. The cookie authentication middleware is configured in the application start like any ASP.NET Core middleware service. The redirect URL has a default value but you get to define any URL you like.

    Use cookie authentication without ASP.NET Core Identity

    Cookie authentication mechanics are very simply. The cookie authentication middleware looks for the authentication cookie during an HTTP request (HTTP pipeline). If the cookie is not found and the resource requires authorization, the middleware library redirects to the login URL. If the authentication cookie is found, the middleware reads the encrypted cookie contents and generates a Principal object for the duration of the HTTP request. The Principal identifies the user and any claims/roles the user has. The [Authorize] attribute reads the Principal to grant or deny access to a MVC Action. For example, if the user's role/claim is not authorized to access a secured resource a 401 (unauthorized) is returned.

    Claims-based authorization in ASP.NET Core

    Anyway, read the docs as this information is openly documentented.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sreeju Nair 11,616 Reputation points
    2022-08-11T06:48:05.493+00:00

    In asp.net MVC (classic), it uses Identity will help you to manage the authentication and authorization.

    Refer: https://learn.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity

    ASP.Net core supports ASP.NetCore Identity to perform authentication and authorization. Refer

    https://learn.microsoft.com/en-us/aspnet/core/security/authentication/?view=aspnetcore-6.0

    When you implement Identity, The identity system will manage authentication and authorization including redirection to login page / access denied page.

    I recommend you to go through the following tutorials.

    For MVC (not core)
    https://learn.microsoft.com/en-us/aspnet/mvc/overview/security/create-an-aspnet-mvc-5-web-app-with-email-confirmation-and-password-reset
    https://learn.microsoft.com/en-us/aspnet/mvc/overview/older-versions/mvc-music-store/mvc-music-store-part-7

    .Net Core
    https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-6.0&tabs=visual-studio

    1 person found this answer helpful.
  2. AgaveJoe 26,136 Reputation points
    2022-08-11T20:35:01.163+00:00

    1) so i have a question that if i am using asp.net core mvc with cookie authentication which setup in program.cs file then how can i mention my login controller name and login action name in program.cs file ? please guide me with a sample code.

    First read the link in my last post. Use the LoginPath option

    builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)  
    .AddCookie(options =>  
    {  
        options.LoginPath = "/Account/Login";  
    });

    2) if Identity is different one then i am curious to know does it drop auth cookies after checking user credentials from db? if yes then how Identity is different from cookie authentication. please be elaborate for this point

    You're overthinking the obvious. Identity is an user account management API. Identity can be used in a desktop application where cookies do not exist. Web applications, on the other hand, are stateless and must cache the user's identity. The Identity API authenticates the user and cookie authentication caches the user's identity/claims. They work together in a web application but are separate APIs.

    1 person found this answer helpful.
    0 comments