using System; | |
using System.Collections.Generic; | |
using System.Linq; | |
using System.Web; | |
using System.Web.Mvc; | |
using WebMatrix.WebData; | |
using System.Web.Routing; | |
namespace Mvc4WithAuthentication.Auth | |
{ | |
public class CoupleSessionAndFormsAuth : ActionFilterAttribute | |
{ | |
/* Occurs before the controller action is executed | |
* Verifies one of two sitations: | |
* 1. If the user is authenticated, the username in the session matches the username in the forms authentication token | |
* 2. If the user does not have a forms authentication token, their session should not include any identity information, like a username | |
* If any of these cases are violated, then the user will be logged out, their session will be destoryed, and they will be redirected to the login page | |
* The following conditions will allow the user to reach the controller action: | |
* 1. They do not have a forms auth token, and their session does not contain identity information | |
* 2. They have a forms auth token, their session contains an identity, and the usernames match in both the forms auth token and the session | |
*/ | |
public override void OnActionExecuting(ActionExecutingContext filterContext) | |
{ | |
//Grab the username from the session. returns null or the username | |
String username = (String)filterContext.HttpContext.Session["UserName"]; | |
if (!WebSecurity.Initialized) | |
{ | |
//clear the session | |
filterContext.HttpContext.Session.Abandon(); | |
//redirect to the login page if not already going there | |
if (!(filterContext.Controller is AccountController && filterContext.ActionDescriptor.ActionName.ToLower() == "login")) | |
{ | |
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } }); | |
} | |
} | |
//If the user is authenticated, compare the usernames in the session and forms auth cookie | |
//WebSecurity.Initialized is true | |
else if (WebSecurity.IsAuthenticated) | |
{ | |
//Do the usernames match? | |
if (username == null || username != WebSecurity.CurrentUserName) | |
{ | |
//If not, log the user out and clear their session | |
WebSecurity.Logout(); | |
filterContext.HttpContext.Session.Abandon(); | |
//redirect to the login page | |
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } }); | |
} | |
} | |
//If the user is not authenticated, but the session contains a username | |
//WebSecurity.Initialized is true | |
//WebSecurity.IsAuthenticated is false | |
else if (username != null) | |
{ | |
//log the user out (just in case) and clear the session | |
WebSecurity.Logout(); | |
filterContext.HttpContext.Session.Abandon(); | |
//redirect to the login page | |
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } }); | |
} | |
base.OnActionExecuting(filterContext); | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment