0

I'm going to be building this from scratch with C# and asp.net on Entity/MVC frameworks using LINQ.

We've opted to not use the built in membership authorization.

What I am trying to figure out is if I have all my bases covered or if I am forgetting something. Or if I am over complicating it.

Here is how I envision it.

I create a table that will house the user info, username, password. Move that to a model in my code.

I create an Authentication service in my code. Then when they log in I add the time to the table they logged in, and then on each page visit I check that time and if 30 minutes have elapsed I log them out and put them back on the login page otherwise I bring them to the page they requested.

Is this an ok way to go about it? Do I really need to add an authentication check to each page controller?

Which would Basically be. Services.Authentication.VerifyLogin()

If 30 minutes have passed log them out update table LoggedIn to false. If within 30 minutes. Update the LoggedInTime to current time.

shenku
  • 11,969
  • 12
  • 64
  • 118
James Wilson
  • 5,074
  • 16
  • 63
  • 122
  • How you storing password? Plain text? – Srb1313711 Feb 20 '14 at 17:17
  • No, I will hash it somehow. – James Wilson Feb 20 '14 at 17:22
  • So every time they visit a page you will update the time in the db? So if they are on a page for more than 30mins they will be logged out? – Srb1313711 Feb 20 '14 at 17:25
  • 7
    "table that will house the user info, username, password" fail. There are certain categories of task that I would run away from. This is one of them. Just use the existing membership. Getting this stuff right is really really hard. Don't underestimate the task you're setting yourself. Make every effort to use an existing, ***tested*** framework. Rolling your own will almost certainly go wrong. – spender Feb 20 '14 at 17:25
  • @spender Thanks for the advice spender, but lets focus on the actual question which stated I will not be using the built in membership. And as a side note where would I store the password if not in the database? – James Wilson Feb 20 '14 at 17:29
  • @Srb1313711 That was my original plan, I can't think of another way to manage it currently. – James Wilson Feb 20 '14 at 17:31
  • @JamesWilson : Sorry for banging on about it, but there's nothing in your requirements that can't be handled with the existing membership providers. What possible motivation might you have for not using existing tools? – spender Feb 20 '14 at 17:32
  • Typically, we would use Sessions in MVC to check login http://stackoverflow.com/questions/19181085/session-management-in-mvc – user1477388 Feb 20 '14 at 17:32
  • @JamesWilson Look at this for auto logout http://stackoverflow.com/questions/15991652/asp-net-automatic-logout, but why not use aspnet membership authorization? – Srb1313711 Feb 20 '14 at 17:33
  • @spender Because I have a superior who told me not to use it because he doesn't like it. So even if I would prefer to use it I cannot. – James Wilson Feb 20 '14 at 17:34
  • So, it is one of those "I don't like Microsoft security framework for no apparent reason, so I will re-implement it without having a foggiest idea how to do it, please help me" posts. – 0leg Feb 21 '14 at 14:30
  • @JamesWilson sounds like your job is to convince your boss he's wrong, not to roll your own security system. – Codeman Feb 27 '14 at 20:50

2 Answers2

2

I think what you want is to use an MVC authentication cookie, instead of checking your database for the time they logged in:

// sign in
FormsAuthentication.SetAuthCookie(username, false);
// sign out
FormsAuthentication.SignOut();

Ref. Custom Authentication and ASP.NET MVC

Ref. http://www.codeproject.com/Articles/578374/AplusBeginner-27splusTutorialplusonplusCustomplusF

Also, this is a good article on custom auth in MVC 4:

http://www.codeproject.com/Articles/601687/ASP-NET-MVC-4-Forms-Authentication-Customized

Community
  • 1
  • 1
user1477388
  • 20,790
  • 32
  • 144
  • 264
0

If you're using MVC, you won't have to "add an authentication check to each page controller", all you have to do is adding the [Authorize] attribute above the Actions that need authentication in your controllers and that's about it.

Here's an Authorization sample that might help you out:
http://www.asp.net/mvc/tutorials/mvc-music-store/mvc-music-store-part-7

Pierre
  • 417
  • 3
  • 9