0

I'm developing an MVC 5 web application with an existing database. The application really has two types of interfaces, one set for registered users only, the other set for admin users only.

Unfortunately both types of users are not stored in the same User table, rather, in two separate tables, i.e., tblUser and tblAdmin. This is an inherited database so there's nothing I can do about that.

I was thinking of creating two MVC websites, one for the registered users, and the other for the admin users. I could still do this, however, it would mean repetition of some code.

Another option I was thinking of doing was just having one MVC site, and create an Area within that to securely place all the administration interfaces and code.

I would then have two Account Controllers (standard Account Controller and one in the Area for Admins) each with their own Login Action.

Each Login Action would use the latest ASP.Net Identity for Authentication (i.e. setup ClaimsIdentity, IAuthenticationManager etc), something like this

private IAuthenticationManager AuthenticationManager
{
    get
    {
        return HttpContext.GetOwinContext().Authentication;
    }
}

public ActionResult Login(LoginViewModel model, string returnUrl)
    {
        if (ModelState.IsValid)
        {
            var user = _AccountService.VerifyUserLogin(model.UserName, model.Password);
            if (user != null)
            {
                var identity = new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, model.UserName), }, DefaultAuthenticationTypes.ApplicationCookie, ClaimTypes.Name, ClaimTypes.Role);

                //Add claim to store doctor ID, roles can also be added here if needed
                identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, Convert.ToString(user.userID)));
                identity.AddClaim(new Claim(ClaimTypes.Role, "AddRoleHere"));

                AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = model.RememberMe }, identity);

                return RedirectToLocal(returnUrl);
            }
            else
            {
                ModelState.AddModelError("", "Invalid username or password.");
            }
        }

        // If we got this far, something failed, redisplay form
        return View(model);
    }

My worry is that, if I use the AuthenticationManager.SignIn in both Login Actions, albeit they are different Actions, would this cause problems, e.g., sharing of the authentication cookie being setup, threading issues or even race conditions.

I feel I need to ask this question and hopefully get some response before I continue with this application.

I've seen a previous application with these issues, not necessarily to do with authentication, but let's just say it makes me very cautious especially when data is involved.

Any feedback or discussion around this would be great.

Thanks.

tereško
  • 58,060
  • 25
  • 98
  • 150
tcode
  • 5,055
  • 19
  • 65
  • 124
  • 1
    You'll thank yourself later if you go with one site, one controller. If you can't merge the tables, then I'd go with custom authentication and custom roleprovider that checks both tables and sticks people in the correct roles accordingly, and control access through roles. – MikeSmithDev Feb 06 '14 at 18:00
  • 1
    I agree with @MikeSmithDev. Spend some time considering how much effort it will take to write SQL scripts (I presume; you didn't mention the storage technology) to migrate your Admin users into your registered users table; compare that effort against the hoops you will need to jump through to create and maintain two websites (or whatever workaround you decide on). I bet you can come up with a strong argument to convince your decision makers that merging tables is the better long term route. – Vince Horst Feb 07 '14 at 03:35
  • @MikeSmithDev Thanks guys. It makes sense what you say, that's the way I'll go, one site, one Account Controller and one Login Action for all types of Users. – tcode Feb 07 '14 at 09:39

0 Answers0