1

Let's suppose I want to use routing like this:

{sessionid}/{controller}/{action}/{id}

Adding a route is easy enough, but now I am unclear on how to get AuthorizeAttribute to use the user associated with my session token. I looked at its source in ILSpy, and it seem to be relying on HttpContext to get IPrincipal, and that's where trail goes cold. Where does it get this instance of IPrincipal?

Worst case I imagine I could write a custom FilterAttribute and a custom user class implementing IPrincipal. Hook it up globally to get sessionid from the route data, look up my user from DB and then just give my custom IPrincipal instance to HttpContext.User. This seems a bit low level and also bypassing the whole MembershipProvider business.

Am I on the right track or maybe there is an easier way to go about this?

Ilia G
  • 10,043
  • 2
  • 40
  • 59
  • Side note: putting auth info in Url is bad idea since everyone sees the urls (i.e. as referer, or just user copy-paste one...) – Alexei Levenkov Mar 13 '14 at 03:06
  • I remember in web forms development that you could specify cookielessMode in the web.config which made it prepend something to the url. have you tried that? – Slicksim Mar 13 '14 at 08:40
  • @AlexeiLevenkov I know it is not optimal, but I have very specific requirements for this – Ilia G Mar 13 '14 at 16:09
  • @Slicksim that doesn't really help me to connect my `sessionid` with ASP.NET authentication – Ilia G Mar 13 '14 at 16:11
  • 1
    I think you can't find what you are looking for because you are looking in wrong place - authentication in ASP.Net done earlier in pipeline before MVC part kicks in - search http://www.bing.com/search?q=asp.net+AuthenticateRequest should give you good starting point to understand that (and [this](http://stackoverflow.com/questions/1555126/asp-net-mvc-custom-iprincipal-injection) question that seem to be close to yours). One need to *authenticate* user first before *authorizing* to perform an action. – Alexei Levenkov Mar 13 '14 at 16:19

0 Answers0