0

I am using following code for user authentication

    Home Controller:
    ------------------
    [AllowAnonymous]
    [HttpPost]
    public JsonResult JsonLogin(SecurityDTO usr)
    {
        var cnt = _ipres.CheckLoginCount(usr);

        if (cnt == 1)
        {
            var logDet = _ipres.GetUser(usr);
            if (logDet != null)
            {
                var dto = new SecurityDTO
                {
                    Id = logDet.Id,
                    UserName = logDet.username,
                    Password = logDet.password,
                    Email = logDet.Emailid,
                    UTID = logDet.UTID,
                };
                Session[USER] = dto;
            }
            if (logDet != null)
            {
                switch (logDet.UTID)
                {
                    case 1:
                        Session["UType"] = "admin";
                        return Json(new { success = true, redirect = Url.Action("Index", "Admin", new { area = "Admin" }) });
                    case 2:
                        Session["UType"] = "user";
                        return Json(new { success = true, redirect = Url.Action("Index", "User", new { area = "User" }) });
                    case 3:
                        Session["UType"] = "client";
                        return Json(new { success = true, redirect = Url.Action("Index", "Client", new { area = "Client" }) });
                    default:
                        Session["UType"] = null;
                        break;
                }
            }
        }
        else
        {
            ModelState.AddModelError("", "Invalid Username or Password");
        }
        return Json(new { errors = GetErrorsFromModelState() });
    }

    Base Controller:
    ------------------
    public SecurityDTO UDTO { get; set; }

    protected override void OnActionExecuting(ActionExecutingContext act)
    {
        if (Session["UType"] != null)
        {
            UDTO = (SecurityDTO)Session[HomeController.USER];
            base.OnActionExecuting(act);
        }
        else
            act.Result = RedirectToAction("Index", "Home", new { area = "" });
    }

This works pretty well for authentication. After successful login I redirect the user to an area according to his user type. All controllers in area implement base controller. Lately I found this not effective because of following reason. When I logged in as user my url will be ~/AppName/User/User/ViewName. But when I do some tampering with url and change it as ~/AppName/Admin/Admin/ViewName it takes me to that page even though I am not an admin user. I am still logged in as user but I have access to all admin features. Basically when I change user type in url it considers me as that user type. But intended behaviour is to redirect the user to login page when url tampering occurs like this. Can I do something like recognising user type change in base controller and redirect the user to login page? please show the right way to do this... Thanks in advance.

Kittu
  • 1
  • 1

1 Answers1

0

You can add page level authentication where you check if user is having permission to page else redirect him, also have a look at https://stackoverflow.com/a/5184363/87956

Community
  • 1
  • 1
Vinay Pandey
  • 8,589
  • 9
  • 36
  • 54
  • Thanks for answer Vinay, but is there something I can do in Base controller to prevent page level authentication? UDTO tells me which level user belongs to. I just need to know what level page he wants to access. If it is admin I'll show him login page. Can I get Route parameters or url path in base controller so I can authorize there itself.. Thanks in advance.. – Kittu Jun 12 '13 at 07:08