ASP.NET MVC 3 User Authentication

Question

What are some of the common methods to do simple user validation (account login)?

Also, can you have different authentication schemes per area?

Edit

I am creating an eCommerce site that will need to have protected actions per user. So how would one go about doing this? It will need to be able to let only authenticated users access their information.

Why inventing the wheel then? start from a good base platform for a ECommerce site, if you're in .NET, start with http://www.nopcommerce.com/ it's an ASP.NET 4.0 solution. — balexandre, Mar 28 '11 at 19:47

score 29 · Accepted Answer · edited May 23 '17 at 11:45

You have several options when it comes to doing authentication in MVC:

The built-it MVC Forms Authentication (Tutorial available here and here)
Using Forms Authentication with Cookies in MVC3 (Link here)
Using Windows Authentication (Learn more here...)
Mixed Mode Authentication (Using Windows / Forms Authentication together.)

The built in Forms Authentication can allow you to limit access to different areas of your application based on Role, User among other things and it is quite easy to implement using the [Authorize] attribute.

The following would require the user be logged in:

[Authorize]
public ActionResult YourActionNameGoesHere()
{
}

Likewise, the following would require the user be logged in AND be an Administrator:

[Authorize(Roles="Administrator")]
public ActionResult YourActionNameGoesHere()
{
}

Those were just a few methods of accomplishing it, as you can see there are MANY different methods of accomplishing this - I hope this might have shed a bit of light in helping you decide.

Levi, the security expert on the MVC team, states that there is only one secure way to perform authentication. See my answer. — Eric J., Feb 23 '12 at 04:54

score 8 · Answer 2 · answered Feb 23 '12 at 04:53

8

According to the security expert on the MVC team

The only supported way of securing your MVC application is to have a base class with an [Authorize] attribute, and then to have each controller type subclass that base type. Any other way will open a security hole.

http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx

answered Feb 23 '12 at 04:53

Eric J.

147,927
63
340
553

1

The quote about subclassing only applies to MVC versions 1 and 2 anyway. MVC3+ can use a GlobalActionFilter. – DarrellNorton Feb 28 '13 at 10:35

score 3 · Answer 3 · answered Mar 28 '11 at 19:33

3

please go to your model folder when you create a internet application with VS 2010. you will see a cs file there. that file holds a sample structure for User Authentication

Remember that : ASP.NET MVC is not a separate framework. it sits on top of ASP.NET so you can use System.Web.Security.Membership class on MVC as well.

Also, check your Account folder inside your view folder. you will some view samples there.

hope this helps.

answered Mar 28 '11 at 19:33

tugberk

57,477
67
243
335

2

When creating an empty web-application with MVC3 these folders and classes are not included, so this might be a bit misleading... – Yngve B-Nilsen Mar 28 '11 at 19:44
@Yngve did you see that, I indicated as 'when you create a internet application' to clear that out... there is no confusion I guess. – tugberk Mar 28 '11 at 20:53
@CoffeeAddict Does not suck for me. – tugberk Feb 04 '12 at 21:50

ASP.NET MVC 3 User Authentication

3 Answers3

Linked