Create a gist now

Instantly share code, notes, and snippets.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using WebMatrix.WebData;
using System.Web.Routing;
namespace Mvc4WithAuthentication.Auth
{
public class CoupleSessionAndFormsAuth : ActionFilterAttribute
{
/* Occurs before the controller action is executed
* Verifies one of two sitations:
* 1. If the user is authenticated, the username in the session matches the username in the forms authentication token
* 2. If the user does not have a forms authentication token, their session should not include any identity information, like a username
* If any of these cases are violated, then the user will be logged out, their session will be destoryed, and they will be redirected to the login page
* The following conditions will allow the user to reach the controller action:
* 1. They do not have a forms auth token, and their session does not contain identity information
* 2. They have a forms auth token, their session contains an identity, and the usernames match in both the forms auth token and the session
*/
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
//Grab the username from the session. returns null or the username
String username = (String)filterContext.HttpContext.Session["UserName"];
if (!WebSecurity.Initialized)
{
//clear the session
filterContext.HttpContext.Session.Abandon();
//redirect to the login page if not already going there
if (!(filterContext.Controller is AccountController && filterContext.ActionDescriptor.ActionName.ToLower() == "login"))
{
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } });
}
}
//If the user is authenticated, compare the usernames in the session and forms auth cookie
//WebSecurity.Initialized is true
else if (WebSecurity.IsAuthenticated)
{
//Do the usernames match?
if (username == null || username != WebSecurity.CurrentUserName)
{
//If not, log the user out and clear their session
WebSecurity.Logout();
filterContext.HttpContext.Session.Abandon();
//redirect to the login page
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } });
}
}
//If the user is not authenticated, but the session contains a username
//WebSecurity.Initialized is true
//WebSecurity.IsAuthenticated is false
else if (username != null)
{
//log the user out (just in case) and clear the session
WebSecurity.Logout();
filterContext.HttpContext.Session.Abandon();
//redirect to the login page
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary { { "action", "Login" }, { "controller", "Account" } });
}
base.OnActionExecuting(filterContext);
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment