I’m working on a site that uses Forms Authentication. I was interested in how the authentication system was working, since when I initially open any page in the site, it redirects me to a login, and none of the controllers/actions have any authorization logic placed in them.
- Via the configuration below, does MVC or ASP.NET automatically determine if you’re authenticated? (Like I said, there is no code in the controllers to “redirect” or make sure that the user is authorized.
- If ASP.NET handles this, in what situations do you need to authorize
your actions/controllers? (i.e. [Authorize] attribute) - How does forms authentication work? I’m especially interested in how
the “authorization” is persisted? (i.e. cookies??)
Websites web.config
Technology: MVC 3, Entity Framework 4.1 (Code first), ASP.NET 4
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Index" timeout="2880" />
</authentication>
<membership defaultProvider="CodeFirstMembershipProvider">
<providers>c
<clear />
<add name="CodeFirstMembershipProvider" type="Vanguard.AssetManager.Services.Security.MembershipService" applicationName="/" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="CodeFirstRoleProvider">
<providers>
<clear />
<add name="CodeFirstRoleProvider" type="Vanguard.AssetManager.Services.Security.RoleService" applicationName="/" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
</system.web>
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Content/packages">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Home">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="CheckIn">
<system.web>
<authorization>
<allow roles="CheckIn, Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Assignment">
<system.web>
<authorization>
<allow roles="Assignment, Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<configuration>
The site uses MVC areas, which I assume is what the section refers to.
Yes, it uses the
<location>section in your web.config to allow only users that have the Admin role to access the/Admin/*path.In ASP.NET MVC using the
[Authorize]attribute is the prefered method to control which actions need authorization instead of using the<location>tag in your web.config as you did. The reason for this is that ASP.NET MVC uses routing and you shouldn’t be hardcoding paths in your web.config which is what happens with the<location>section. So always use the[Authorize]attribute to decorate controllers/actions that require authentication.Cookies, yes. You might also checkout the following article on MSDN which explains how Forms Authentication works.