MVC3 Forms Authentication: Role Specific Visible Items in Partial View

Question

I just set up my MVC application with forms authentication and everything is just dandy except for my _LogOnPartial view. The "Welcome [Log Off]" works fine, however, I also have Role specific text or drop-down selector that needs to be displayed depending on the user's role.

This works fine as long as the user has logged in during the current session because I use cookies to hold the role and verify with User.IsInRole() in the Controller before any actions occur.

This does not work if the user selects "Remember me" because when the session starts, there is no cookie containing the role, and thus the visible items.

Is there an easy way to check User.IsInRole()in a partial view?

Here is my View:

<div id="LogInContainer">
    @if (Request.IsAuthenticated)
    {
        <div class="InLine" id="WelcomeDisplay">
            <text>Welcome <b>@Context.User.Identity.Name</b>! [ @Html.ActionLink("Log Off", "LogOff", "Account")
            ]
            </text>
        </div>
        <div id="clientDropDown">
            @{

        var requestCookie = Request.Cookies["Role"];
        if (requestCookie != null)
        {
            if (requestCookie.Value == "Client1")
            {
                HttpCookie joannCookie = new HttpCookie("Client", "Client1");
                Response.Cookies.Add(Client1Cookie);
                <text>Client: Client1</text>
            }
            else if (requestCookie.Value == "Client2")
            {
                HttpCookie safewayCookie = new HttpCookie("Client", "Client2");
                Response.Cookies.Add(Client2Cookie); 
                <text>Client: Client2</text>
            }
            else if (requestCookie.Value == "Administrator")
            {
                @:Client: @Html.DropDownList("Client", new SelectList(ConfigurationHelper.Clients))
                }
        }
        else
        {
            //Do nothing
        }
            }
        </div>
    }
    else
    {
        <div id="LogOnLink">
            [ @Html.ActionLink("Log On", "LogOn", "Account") ]
        </div>
    }
</div>

Is there a way to make nonauth cookies persistent? I'm new to cookies so I may just be ignorant, but I tried a google search with no luck.

Tz_ · Accepted Answer · 2011-08-15T22:14:30.653

1

Set the expiration of the cookie to a future date to make it persistent. If you don't set the expiration date it is a so called "session cookie" or "non-persistent" cookie that is not stored on disk by the browser and kept only as long as you use the same browser session. If you want to keep the cookie "forever" you still have to pick a date, the only thing you can do is that you pick an expiration date "far enough" in the future (e.g. the current date plus a big constant time span).

However, you should be very careful about storing authentication or authorization information in a persistent cookie! By default ASP.NET uses session cookies for authentication, because persisting such a cookie is a serious security risk.

edited Aug 15 '11 at 22:14

answered Aug 15 '11 at 21:50

Tz_

2,949
18
13

What is a typical duration for a persistent cookie? For example, what does ASP.NET Forms use for authentication cookies? – Evan Layman Aug 15 '11 at 21:54
Typically you don't persist auth cookies, because it is considered quite risky. How did you persist the authentication (login) information? – Tz_ Aug 15 '11 at 22:16
I used the default asp.net MVC3 website authentication using System.Web.Security.FormsAuthentication: `FormsAuthentication.SetAuthCookie(userName, createPersistentCookie);` – Evan Layman Aug 15 '11 at 22:26
1

Ok, the cookie expiration is set according to the timeout configured for the forms authentication in the web.config. See the system.web/authentication/forms/@timeout attribute. By default it is 30 minutes, hence the cookie expiration date will be DateTime.Now + 30 min. If you use sliding expiration (this is the default) the cookie gets updated with each request, hence it will only timeout after being idle for 30 minutes. The expiration date of the cookie will be set only (to persist the cookie) if you explicitly said so (passing true in the SetAuthCookie). – Tz_ Aug 16 '11 at 07:00
Thanks for all of the information! Now, if I use expiration date for my other cookies, will they behave similarly with idle timeout, or will it be an expiration from the creation date/time? I assume the latter, and if that's the case, is there a way to mimic the timeout feature? – Evan Layman Aug 16 '11 at 17:04
If you want to persist the auth cookie and your custom cookies for a long period of time (e.g. 1 year) the sliding expiration makes not much sense, so I would just disable it in the configuration. Then your just have to calculate the expiration date of your custom cookie with the same timeout as configured for the auth cookie. If you want sliding expiration you can "mimic" that as well, you just have to update your custom cookie in every request/response to set a new shifted expiration date. – Tz_ Aug 17 '11 at 07:13
That makes sense. I guess I assumed the sliding expiration on the auth cookie starts it's expiration time when the user closes the session, not after the last request that was made. Anyway, it's not important as I will just use a non-sliding expiration. – Evan Layman Aug 17 '11 at 16:31

MVC3 Forms Authentication: Role Specific Visible Items in Partial View

1 Answers1