c# - Develop a custom authentication and authorization system in consistence with web form application -


i creating new asp.net mvc 4 application (actually first mvc application) part of previous asp.net web forms application. have never used asp.net inbuilt authentication methods in of project. new mvc 4 app published on sub-domain of previous app. login done previous app. return url should provided mvc app return current page if not logged in. however, new user registration, account recovery options developed in previous web forms application , don't want replicate them in new mvc application.

a cookie token token number issued web form application on event of successful login shared domain *.maindomain.com.

now want merge own token validation method asp.net inbuilt methods can make use of authorize , other security related options in new mvc application.

in previous application have developed custom user validation system in following way.

first, have following related sql server tables

enter image description here

and following classes

public class token {     public static uint generatetoken(string useremail, string password, bool ispersistent)     {         // static function generates uint type unique token number         // , put in cookie "token" using httpcontext.current.response object.         // if ispersistent set true cookie persistent otherwise not         // if there problem in creating token throw exception proper message         // possible causes of not generating token         // 1. invalid useremail or password         // 2. 'state' value in 'member' table 'emailpending' or 'suspended' (there enum memberstate     }      public token(uint tokenno, bool validateimmediately = false)     {         // load token details few filed member table database         // call validate function if validateimmediately set true         // throws exception if token not exists in database     }      public void validate()     {         // checks memberstate active , token status active , throws exception if wrong         // , check (lastaccessedon.addseconds(tokenlife) < appsettings.now) not true         // call updatestatus function new token status , current page httpcontext in comment parameter     }      public void updatestatus((tokenstatus newstatus, string comment = "")     {         // write both newstatus , comment in token table         // , remove token cookie if newstatus not set active     }      public uint tokennumber { get; private set; }     public uint membernumber { get; private set; } // member table     public string name { get; private set; } // member table     public memberstate memberstate { get; private set; } // member table     public string memberemail { get; private set; } // member table     public uint businsessno { get; private set; } // business table     public datetime createdon { get; private set; }     public datetime lastaccessedon { get; private set; }     public uint tokenlife { get; private set; } // member     public string createdip { get; private set; }     public string lastip { get; private set; }     public bool ispersistent { get; private set; }     public tokenstatus status { get; private set; }     public string comment { get; private set; }     public static token current     {                 {             if (_t == null)                 _t = new token(uint.parse(httpcontext.current.request.cookies["token"].value));             return _t;         }     }     private static token _t; }  public class member {      // member related operations new member, send verification email , verify email } 

for logging out user call updatestatus (tokensatus.closed, "user logged out"). method take care of cookie removal.

note: member class has property bool isadmin. know why for.

please suggest me best solution develop authentication system according needs in mvc application. telling again options new user, account recovery , email verification done in previous asp.net web forms application. need put validate() method of token class on right place in mvc application. confused several solution available on internet.

if hand-roll own authentication, security can strong how store ticket in client side cookie securely.

normally, want encrypt auth ticket/token , access via ssl. long store cookie securely @ client side, should not issue.

i suggest take @ how asp.net creates form authentication ticket.

note: if use asp.net form authentication ticket not need store ticket/token in database, because user send auth ticket server on every page request.

var = datetime.utcnow.tolocaltime();  var ticket = new formsauthenticationticket(                 1, /*version*/                 memberid,                 now,                 now.add(formsauthentication.timeout),                 createpersistentcookie,                 tokenid, /*custom data*/                 formsauthentication.formscookiepath);  var encryptedticket = formsauthentication.encrypt(ticket);  var cookie = new httpcookie(formsauthentication.formscookiename, encryptedticket) {    httponly = true,    secure = formsauthentication.requiressl,    path = formsauthentication.formscookiepath };  if (ticket.ispersistent) {    cookie.expires = ticket.expiration; } if (formsauthentication.cookiedomain != null) {    cookie.domain = formsauthentication.cookiedomain; }  _httpcontext.response.cookies.add(cookie); 

how create principal object

once authenticated user requested page, need retrieve auth ticket cookie, , create principal object.

// in global.asax.cs void application_authenticaterequest(object sender, eventargs e) {    httpcookie decryptedcookie =        context.request.cookies[formsauthentication.formscookiename];     formsauthenticationticket ticket =        formsauthentication.decrypt(decryptedcookie.value);     var identity = new genericidentity(ticket.name);    var principal = new genericprincipal(identity, null);     httpcontext.current.user = principal;    thread.currentprincipal =httpcontext.current.user; }  // in action method, how check whether user logged in  if (user.identity.isauthenticated) {  } 

do need extend cookie expiration?

if leave slidingexpiration true (which true default), increase expiration time automatically. (read more on article)


Comments

Popular posts from this blog

image - ClassNotFoundException when add a prebuilt apk into system.img in android -

I need to import mysql 5.1 to 5.5? -

Java, Hibernate, MySQL - store UTC date-time -