I want to allow two types of authorization in my .NET MVC 2.0 app. One would be good old-fashion id/password (forms authentication) but I also want to be able to look at the header of the request page for an id/password as well. If that's provided, I want to authorize based upon that, by pass the form authentication and allow the user into the system. How's the best way to do that in MVC?
Thanks!!
Don't think there is anything out of the box for this type of authentication. You could just read the request headers and check if they contain login information you need, and if they do, just do forms authentication but using the login info from the request header e.g.
string userId = String.Empty;
string password = String.Empty;
foreach (var key in Request.Headers.AllKeys)
{
if (key == "UserId")
userId = Request.Headers[key];
if (password == "Password")
password = Request.Headers[password];
}
if (!String.IsNullOrEmpty(userId) && !String.IsNullOrEmpty(password))
// attempt login
else
// display login page
You can hook into authentication requests either in global.asax, or by writing a custom HTTPModule. The HTTPModule is particularly good at hooking into all the events in the ASP.NET pipeline, including authentication.
However, using this for authentication based on header content seems to be very high risk, knowing how easy it is to forge headers.