This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Web; | |
| using System.Web.Mvc; | |
| using WebMatrix.WebData; | |
| using System.Web.Routing; | |
| namespace Mvc4WithAuthentication.Auth | |
| { | |
| public class CoupleSessionAndFormsAuth : ActionFilterAttribute | |
| { | |
| /* Occurs before the controller action is executed | |
| * Verifies one of two sitations: | |
| * 1. If the user is authenticated, the username in the session matches the username in the forms authentication token | |
| * 2. If the user does not have a forms authentication token, their session should not include any identity information, like a username | |
| * If any of these cases are violated, then the user will be logged out, their session will be destoryed, and they will be redirected to the login page | |
| * The following conditions will allow the user to reach the controller action: | |
| * 1. They do not have a forms auth token, and their session does not contain identity information | |
| * 2. They have a forms auth token, their session contains an identity, and the usernames match in both the forms auth token and the session | |
| */ | |
| public override void OnActionExecuting(ActionExecutingContext filterContext) | |
| { | |
| //Grab the username from the session. returns null or the username | |
| String username = (String)filterContext.HttpContext.Session["UserName"]; | |
| if (!WebSecurity.Initialized) | |
| { | |
| //clear the session | |
| filterContext.HttpContext.Session.Abandon(); | |
| //redirect to the login page if not already going there | |
| if (!(filterContext.Controller is AccountController && filterContext.ActionDescriptor.ActionName.ToLower() == "login")) | |
| { | |
| filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } }); | |
| } | |
| } | |
| //If the user is authenticated, compare the usernames in the session and forms auth cookie | |
| //WebSecurity.Initialized is true | |
| else if (WebSecurity.IsAuthenticated) | |
| { | |
| //Do the usernames match? | |
| if (username == null || username != WebSecurity.CurrentUserName) | |
| { | |
| //If not, log the user out and clear their session | |
| WebSecurity.Logout(); | |
| filterContext.HttpContext.Session.Abandon(); | |
| //redirect to the login page | |
| filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } }); | |
| } | |
| } | |
| //If the user is not authenticated, but the session contains a username | |
| //WebSecurity.Initialized is true | |
| //WebSecurity.IsAuthenticated is false | |
| else if (username != null) | |
| { | |
| //log the user out (just in case) and clear the session | |
| WebSecurity.Logout(); | |
| filterContext.HttpContext.Session.Abandon(); | |
| //redirect to the login page | |
| filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } }); | |
| } | |
| base.OnActionExecuting(filterContext); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment