I have new to MVC and I trying to use Repository Pattern to create my Authentication. So far I created the below class which works fine, however on my Controller I want to be able to Save the ID
public class AuthenticationsRepository
{
private readonly DevelopmentEntities _context = new DevelopmentEntities();
// Customer Authentication
public UserProfileModel Authenticate(string UserName, string Password, bool iRememberMe)
{
var userprofile = (from c in _context.user
join cp in _context.User_Profile on c.ID equals cp.ID
where c.username == UserName && c.Password == Password
select new { c.ID, cp.Role, cp.First_Name, cp.Last_Name, c.username}).FirstOrDefault();
if (userprofile != null)
{
return new userprofile
{
ID = userprofile.ID,
FirstName = userprofile.First_Name,
LastName = userprofile.Last_Name,
EmailAddress = userprofile.Email_Address
};
}
return null;
}
On my Controller I use the following code to call the Authentication, now I would like to do it store the ID so it could be access from any View or Controller. How would I do that?
var AuthenticationsRepository = new AuthenticationsRepository();
var model = AuthenticationsRepository.Authenticate(iUserName, iPassword, iRememberMe);
Thanks
Oscar Martinez
www.OzkarServices.com
I.T Management Solution & Software Development
I was under the impression that MVC was Stateless? Also I was reading a couple of articles that mentioned that session aren't that secure, but if I'm only storing the ID I dont see any harm, what's your input on this?
Thanks
Oscar Martinez
www.OzkarServices.com
I.T Management Solution & Software Development
I was under the impression that MVC was Stateless? Also I was reading a couple of articles that mentioned that session aren't that secure, but if I'm only storing the ID I dont see any harm, what's your input on this?
Correct - You don't want to use session for authentication since it wasn't designed for it. Also, personally, I argue that you should
never use session at all.
So I was reading the article Microsoft BrockAllen provided with. The way I understand is that after a successful Log On web page has the ability to create a cookie or cookieless form
authentication containing the authentication information. So I'm assuming when the ticket get created I could include additional data like the UserID, Name and Role and on the controller I could read the information. How safe is that?
The below code is what I'm planning to use when the user authenticates.
// Query the user store to get this user's User Data
string userDataString = (string.Concat(userprofile.ID.ToString(), "|", userprofile.Role));
// Create the cookie that contains the forms authentication ticket
HttpCookie authCookie = FormsAuthentication.GetAuthCookie(userprofile.First_Name + " " + userprofile.Last_Name, iRememberMe);
// Get the FormsAuthenticationTicket out of the encrypted cookie
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(authCookie.Value);
// Create a new FormsAuthenticationTicket that includes our custom User Data
FormsAuthenticationTicket CustomTicket = new FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, ticket.Expiration, ticket.IsPersistent, userDataString);
// Update the authCookie's Value to use the encrypted version of newTicket
authCookie.Value = FormsAuthentication.Encrypt(CustomTicket);
// Manually add the authCookie to the Cookies collection
HttpContext.Current.Response.Cookies.Add(authCookie);
On my controller I would read the data as follow
FormsIdentity id = (FormsIdentity)HttpContext.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
string UserData = ticket.UserData;
// Split on the |
string[] userDataPieces = UserData.Split("|".ToCharArray());
string UserID = userDataPieces[0];
string Role = userDataPieces[1];
What do you think? Is this safe enough?
Thanks
Oscar Martinez
www.OzkarServices.com
I.T Management Solution & Software Development
Yes, the forms auth API issues a cookie. Don't ever use cookieless -- that's insecure.
Since you want to store more than just the username, you could use the Extra Data slot, but that's a bit tedious. If you're willing to use a more moden security programming model then you could look into using claims. My friend Dominick has a good article
on using WIF's cookie library to do what you want, and it allows for arbitrary extra data:
I'll take a look at his article. May I ask you why you think it's tedious? Is it because I have to keep on calling the below code everytime I need the UserID and Role?
FormsIdentity id = (FormsIdentity)HttpContext.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
string UserData = ticket.UserData;
// Split on the |
string[] userDataPieces = UserData.Split("|".ToCharArray());
string UserID = userDataPieces[0];
string Role = userDataPieces[1];
Thanks
Oscar Martinez
www.OzkarServices.com
I.T Management Solution & Software Development
Yea, it's tediou sbecause you have to write that plumbing code and you're digging into the innards of what forms auth should encapsulate for you. They really should have provided a helper (way back in 1.0, IMO) to add the extra data. Stinks that people have
to do this nonsense.
OscarMartine...
Member
18 Points
20 Posts
MVC Forms Authentication
Nov 09, 2012 11:16 AM|LINK
Hi Guys,
I have new to MVC and I trying to use Repository Pattern to create my Authentication. So far I created the below class which works fine, however on my Controller I want to be able to Save the ID
public class AuthenticationsRepository { private readonly DevelopmentEntities _context = new DevelopmentEntities(); // Customer Authentication public UserProfileModel Authenticate(string UserName, string Password, bool iRememberMe) { var userprofile = (from c in _context.user join cp in _context.User_Profile on c.ID equals cp.ID where c.username == UserName && c.Password == Password select new { c.ID, cp.Role, cp.First_Name, cp.Last_Name, c.username}).FirstOrDefault(); if (userprofile != null) { return new userprofile { ID = userprofile.ID, FirstName = userprofile.First_Name, LastName = userprofile.Last_Name, EmailAddress = userprofile.Email_Address }; } return null; }On my Controller I use the following code to call the Authentication, now I would like to do it store the ID so it could be access from any View or Controller. How would I do that?
Oscar Martinez
www.OzkarServices.com
I.T Management Solution & Software Development
RichardY
Star
8376 Points
1573 Posts
Re: MVC Forms Authentication
Nov 09, 2012 12:03 PM|LINK
Store it in Session:
Session["CurrentUserId"] = Id;
OscarMartine...
Member
18 Points
20 Posts
Re: MVC Forms Authentication
Nov 09, 2012 12:32 PM|LINK
I was under the impression that MVC was Stateless? Also I was reading a couple of articles that mentioned that session aren't that secure, but if I'm only storing the ID I dont see any harm, what's your input on this?
Oscar Martinez
www.OzkarServices.com
I.T Management Solution & Software Development
BrockAllen
All-Star
28134 Points
4997 Posts
MVP
Re: MVC Forms Authentication
Nov 09, 2012 03:31 PM|LINK
Bad idea.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
BrockAllen
All-Star
28134 Points
4997 Posts
MVP
Re: MVC Forms Authentication
Nov 09, 2012 03:33 PM|LINK
Correct - You don't want to use session for authentication since it wasn't designed for it. Also, personally, I argue that you should never use session at all.
What you want is forms authentication.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
OscarMartine...
Member
18 Points
20 Posts
Re: MVC Forms Authentication
Nov 09, 2012 08:32 PM|LINK
Hi Guys,
So I was reading the article Microsoft BrockAllen provided with. The way I understand is that after a successful Log On web page has the ability to create a cookie or cookieless form authentication containing the authentication information. So I'm assuming when the ticket get created I could include additional data like the UserID, Name and Role and on the controller I could read the information. How safe is that?
The below code is what I'm planning to use when the user authenticates.
// Query the user store to get this user's User Data string userDataString = (string.Concat(userprofile.ID.ToString(), "|", userprofile.Role)); // Create the cookie that contains the forms authentication ticket HttpCookie authCookie = FormsAuthentication.GetAuthCookie(userprofile.First_Name + " " + userprofile.Last_Name, iRememberMe); // Get the FormsAuthenticationTicket out of the encrypted cookie FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(authCookie.Value); // Create a new FormsAuthenticationTicket that includes our custom User Data FormsAuthenticationTicket CustomTicket = new FormsAuthenticationTicket(ticket.Version, ticket.Name, ticket.IssueDate, ticket.Expiration, ticket.IsPersistent, userDataString); // Update the authCookie's Value to use the encrypted version of newTicket authCookie.Value = FormsAuthentication.Encrypt(CustomTicket); // Manually add the authCookie to the Cookies collection HttpContext.Current.Response.Cookies.Add(authCookie);On my controller I would read the data as follow
FormsIdentity id = (FormsIdentity)HttpContext.User.Identity; FormsAuthenticationTicket ticket = id.Ticket; string UserData = ticket.UserData; // Split on the | string[] userDataPieces = UserData.Split("|".ToCharArray()); string UserID = userDataPieces[0]; string Role = userDataPieces[1];What do you think? Is this safe enough?
Oscar Martinez
www.OzkarServices.com
I.T Management Solution & Software Development
BrockAllen
All-Star
28134 Points
4997 Posts
MVP
Re: MVC Forms Authentication
Nov 09, 2012 08:58 PM|LINK
Yes, the forms auth API issues a cookie. Don't ever use cookieless -- that's insecure.
Since you want to store more than just the username, you could use the Extra Data slot, but that's a bit tedious. If you're willing to use a more moden security programming model then you could look into using claims. My friend Dominick has a good article on using WIF's cookie library to do what you want, and it allows for arbitrary extra data:
http://leastprivilege.com/2012/02/09/replacing-asp-net-forms-authentication-with-wif-session-authentication-for-the-better/
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
OscarMartine...
Member
18 Points
20 Posts
Re: MVC Forms Authentication
Nov 09, 2012 09:14 PM|LINK
I'll take a look at his article. May I ask you why you think it's tedious? Is it because I have to keep on calling the below code everytime I need the UserID and Role?
FormsIdentity id = (FormsIdentity)HttpContext.User.Identity; FormsAuthenticationTicket ticket = id.Ticket; string UserData = ticket.UserData; // Split on the | string[] userDataPieces = UserData.Split("|".ToCharArray()); string UserID = userDataPieces[0]; string Role = userDataPieces[1];Oscar Martinez
www.OzkarServices.com
I.T Management Solution & Software Development
BrockAllen
All-Star
28134 Points
4997 Posts
MVP
Re: MVC Forms Authentication
Nov 09, 2012 09:51 PM|LINK
Yea, it's tediou sbecause you have to write that plumbing code and you're digging into the innards of what forms auth should encapsulate for you. They really should have provided a helper (way back in 1.0, IMO) to add the extra data. Stinks that people have to do this nonsense.
With Claims, this is encapsulated for you.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
OscarMartine...
Member
18 Points
20 Posts
Re: MVC Forms Authentication
Nov 09, 2012 10:42 PM|LINK
Yea, I agree with you.. Thanks for all your help!!!
Oscar Martinez
www.OzkarServices.com
I.T Management Solution & Software Development