All geek questions in one place

Require re-authentication for specific actions

For certain actions, such as changing email settings or admin actions, I want users to re-authenticate before the action is completed. Is there a good template for this in ASP.NET MVC 3?

+3
source share
2 answers

Descpription

You can create your ActionMethod using Username , Password and the field you want to change ( Email ), for example. Then check this data in [HttpPost] your data. If authorization is successful, change it and if not add an error to ModelState .

To do this, use ViewModel.

Example

 public class ChangeEmailViewModel { public string Username { get; set; } public string Password { get; set; } public string EmailAddress { get; set; } } public ActionResult ChangeEmail() { return this.View(new ChangeEmailViewModel()); } public Action ChangeEmail(ChangeEmailViewModel model) { // authorize bool isAuthorized = // your logic. if (isAuthorized) { // change email } else { ModelState.AddModelError("Username", "Username is not valid"); } return this.View(model); }
+2
source

If you want to dynamically intercept and re-authenticate someone who has already authenticated, you can probably also handle this with a special cookie. Actions requiring re-authorization can be decorated with a custom filter that overrides OnAuthorization to check the cookie, and then redirect its username and password if it is not found. Template, without code:

 User clicks link to uber-protected action. Filter on action looks for cookie and does not find it, redirects to sign in. User signs in, and you write a special cookie (different from the forms auth cookie), then redirect back to original action. Filter on action looks for cookie and finds it authorizing user.

At least the cookie lifetime should go all the way to the secure object's http message. You will need to decide when to remove it. For example, after re-authorizing a user for one uber-protected action, do you want them to re-authorize for a second uber-protected action in the same browser session?

0
source

Source: https://habr.com/ru/post/954546/

More articles:


All Articles