tags:

views:

337

answers:

2
+1  Q: 

ASP.NET MVC membership doesn't seem to work if user know direct url

i am extending the default asp.net mvc example.. i am using asp.net membership provider that comes with it . .

the issue is that if i access one of my url's directly without logging on it shows the full page with "Log On" link at the top.

I want it to obvious redirect to the login page, if anyone accesses any of the specific action urls and they are not logged in.

do i need to put specific logic in every action of every controller to check for "is Logged in?"\

any best practices here.

+7  A: 

You need to decorate your controller actions with "[Authorize]" and set up the correct login page in the web config, so whenever an action that is decorated gets called, it checks if the user is logged on and redirects to the proper login page if not.

EDIT: Here's an example on how to configure it:

in the web.config... add:

 <authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn.aspx" timeout="30"/>
 </authentication>

This will indicate the page where unauthenticated users will be redirected to when they hit a controller decorated with [Authorize()]

in your controller (this can be at the action level or at the controller level, here's shown at the action level)

public class HistoryController : Controller
{
...
[Authorize]
public ActionResult MyActionThatNeedAuthentication()
{
   ...
}
...

}
Jaime  2009-07-26 02:20:30
You can place the decoration at the top of the class as well so that you can lock down an entire controller in one go.
griegs  2009-07-27 03:03:48
can you give me an example here.. if i have [Authorize] where does the code go if the user is not authorized?
ooo  2009-07-27 20:09:52
If the user is not authorized the are redirected to ~/Account/LogOn.aspx. If they successfully log in they will be taken back to the page they originally requested.
ctford  2009-09-22 15:18:28
A: 

You can also define the authorized users or roles in the attribute as comma separated lists

[Authorize(Users = "User1,User2")]
public ActionResult ActionName()
{
return View();
}

or

[Authorize(Roles = "Role1,Role2")]
public ActionResult ActionName()
{
return View();
}
Buzzrick  2009-10-16 02:10:01

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps