0

net mvc 5 application using entity frame work etc and am new to .net c# etc (used to php & sessions)

so i have read allot about using .nets authentication service and that is some how registers a user upon login using FormsAuthentication.SetAuthCookie.

however i need to authenticate a user group for example admin or moderator. and from what i understand this can be achieved and be set using [authenticate(roles="admin")].

but surely if this is using a set cookie a user if they knew how could just change their registered role from user to admin to access restricted content?

so in as simple terms as possible how does .net mvc ensure security in authenticating users? can i use sessions instead of cookies? do i need to create my own authentication system.?

i have searched and read all i can find and most resources just explain how cookies work or how to implement authentication using cookies but very little about sessions.

tereško
  • 58,060
  • 25
  • 98
  • 150
andrew hutchings
  • 343
  • 1
  • 5
  • 18
  • 1
    Unlike forum sites, we don't use "Thanks", or "Any help appreciated", or signatures on [so]. See "[Should 'Hi', 'thanks,' taglines, and salutations be removed from posts?](http://meta.stackexchange.com/questions/2950/should-hi-thanks-taglines-and-salutations-be-removed-from-posts). BTW, it's "Thanks in advance", not "Thanks in advanced". – John Saunders Jan 26 '15 at 17:28

1 Answers1

0

I'll try to be as concise as possible:

Yes, ASP.NET MVC 5 uses cookies out of the box (if you chose Individual User Accounts in the project wizard)

The authorization of a group or role by means of an [Authorize(Roles="bla")] attribute to decorate controllers and/or controller methods will do just that.
It's as if you would be writing

if(!User.IsInRole("bla"))
{
    return new HttpUnauthorizedResult();
}
else
{
    //here's your ultra-secret View
    return View();
}

What if a user changes role while in-session or if he or she has a persistent cookie?
Indeed, you'll need to handle the interval between role change and cookie update. Read up on it here
Long story short: the design decision is yours whether you think it better to log off a user when re-assigning roles or to make db roundtrips at every authorization check.

Can you use a session variable like in PHP? Sure (the Session object exists), but you shouldn't.

If and when the situation arises where you absolutely NEED to pass some arbitrary data however, there's ViewBag, ViewData and TempData.

I won't go as far as to say, that these constructs are superfluous, they certainly have their use from time to time, but do try and design your application to maximize the use of strongly-typed models, viewmodels and make use of the REST-based url architecture to get or put your data.

Community
  • 1
  • 1
Wim Ombelets
  • 5,097
  • 3
  • 39
  • 55