ASP.NET MVC Authentication using AccountController

The AccountController class is a controller for user authentication which is included in a default MVC project created with Visual Studio. Prior to using this controller, you will need to modify it so that it no longer refers to the HomeController which you most likely will remove. To do this, replace each of these instances:

return RedirectToAction("Index", "Home");

so they are as below:

return RedirectToAction("Index", "Products");

This will cause the authentication controller to redirect a user to the products controller once an authentication action ends. The default ASP.NET MVC master page has links for a  user to log in/out and register. The MVC Authorize filter facilitates control over which users may access the controller methods. Below is an example of the Authorize filter being  applied to the Delete method in the products controller class:

public ActionResult Delete(int id) {
NorthwindEntities dbObj = new NorthwindEntities();
var data = dbObj.Products.Where(e => e.ProductID == id).Select(e => e).Single();
return View(data);

If a user clicks a delete link to delete a record of a product, the MVC framework is then checked. If the user is currently logged in, the action will proceed.. If the user has not logged in they will then be requested to provide their username and password credentials or else to create a new account. This can be made even more restrictive by specifying user names as part of the filter. Below is an example of the Authorize filter applied so the Delete method is only available to Mike Smith:

[Authorize(Users="Mike Smith")]
public ActionResult Delete(int id) {

Now only Mike Smith can perform the delete actions, all other users will be asked for their credentials. The MVC Authorize filter can even be applied to the whole controller class. Below is an example of the Authorize filter being applied to the ProductsController class, so that only authenticated users can access controller actions:

public class ProductsController : Controller {

The Authorize filter has an Order property which works just as the HandleError Order property. If the  Authorize filter is applied for the whole controller level and for a specific action method, the controller-wide setting will always have precedence unless the Order property is used.

Beginners Guide to Forms Authentication in ASP.NET

There are four basic parts to simple forms authentication. Those parts are:

  1. The form (to gather user ID & pwd) itself
  2. The Web.Config File entry
  3. The Data Store (the place where you keep the usernames and passwords
  4. The Validation Process, triggered in the click event of the form.

Here is an example of the simplest of Forms (let’s call the page ‘Login.aspx’), designed to gather the user ID and password:

<table> <tr> <td align="Right" valign="Top"><b>User ID: </b></td> <td align="Left" valign="Top"> <asp:TextBox id="txtUID" Runat="server" /> </td> </tr> <tr> <td align="Right" valign="Top"><b>Password: </b></td> <td align="Left" valign="Top"> <asp:TextBox id="txtPWD" TextMode="Password" Runat="server" /> </td> </tr> <tr> <td align="Right" valign="Top" Colspan="2"> <asp:Button id="submitButton" Text="Login" onclick="doLogin" Runat="server" /> </td> </tr> </table>

In the Web.Config file, add this:

<authentication mode="Forms"> <forms name=".FormName" loginUrl="login.aspx" ' remember how we named the page for the form? protection="All" timeout="480" path="/" /> </authentication> <authorization> <deny users ="?" /> </authorization>

For the DataStore – you can use anything you’d like – however, I’m a bit partial to databases for quick interaction, so this example will be using a database. You’ll need to create a table in your database to store your names, User ID and Passwords. Here’s a list of the basic table fields you’ll need:

Field Name DataType Notes
id Integer (for Access, use AutoNumber; for SQL Server, create Identity)
Name MS Access: Text; SQL Server: VarChar use a length you feel is appropriate
- you can also make this two fields (First and Last names) to be able to more easily use their first name other places on the site, once they’re logged in
Login MS Access: Text; SQL Server: Varchar, unless you want an exact number of characters.
Password (same as above)

For the actual work to do this, create a click event for the button in the form. Let’s call it ‘doLogin’. Also, you’ll create a Function to do the validation – - let’s call it ‘ValidateUser’, with a couple of arguments, ‘uid‘ and ‘pwd‘. Also, create a label with an ID of ‘lblError’, just in case the login attempt fails.