2

I am currently working on an MVC4 application where different types of users can visit the site and log in. There will be 2 different categorizations of users, type A and B where can access different areas of the site.

Authentication of the user is via service call to an authentication provider and they will return a status of whether the user have been authenticated or not and the users information eg name, address etc. At this point I would like to track that the user is authenticated and what role they are in. Previously I would have created a cookie with the users name, address etc and stored on the clients machine. But this was open to manipulation as the cookies were plain text.

But I would like to strengthen the security of the site and therefore looking at using FormsAuthentication. I am aware that generates a cookie but it is much more secure.

Is this the correct approach and can the users information such as address etc be stored in this cookie? Session where I would like to store it is not available to me. How would I achieve this with FormsAuthentication?

My second question is, once a user is logged in, how do I know the role that they are in?

Finally, once a user is logged in, should the entire site by https? Even areas that are open to everyone but being visited by the logged in user? The logged in user will have information displayed on screen from them on every page eg Welcome John.

Improve this question

1 Answer 1

Reset to default
4

Is this the correct approach and can the users information such as address etc be stored in this cookie?

You are correct that Forms Authentication will by default store user details in an encrypted cookie, so it is a more secure than what you have now.

With Forms Authentication you are able to specify the string content that goes into the client cookie. However I would argue that the only information you should store in the cookie is the User Identifier and Role Identifier(s). This information should be all that is necessary to authenticate and authorise a user per request. Any extra information such as address will just add weight to the cookie and can be fetched from the service when required.

To make use of Forms Authentication, simply add the Authentication element to the web.config inside the system.web section:

<authentication mode="Forms">
  <forms loginUrl="~/Login/Home" timeout="60" />
</authentication>

After you have called the service to validate the user, set the Cookie Data via the FormsAuthentication static class. Cookie data needs to contain the identifier of the user (if you want to display the user's name for example) and the Role identifier (explained below).

var username = // get name from service
var role = // get role from service
FormsAuthentication.SetAuthCookie(username + "-" + role, keepUserLoggedIn);

Use the same class to remove the cookie when the user signs out.

FormsAuthentication.SignOut();

My second question is, once a user is logged in, how do I know the role that they are in?

asp.net MVC provides a simple mechanism for permitting areas of your application only to specific users. By using the [Authorise] Attribute on any controller class or action method only logged in users will be allowed access - i.e users with a FormsAuthentication cookie present. Users who are not logged in will be redirected to the LoginUrl specified in the authenication element of the web.config.

The Authorise attribute also has an overload that will only permit users of a specific role to access the controller/method. This will allow only logged in users who are in the "Admin" role to access any action method of the controller.

[Authroise("Admin")]
public class EditController : Controller
{}

You then need to create your own implementation of the system interface RoleProvider. The interface contains many methods, but not all are necessary. The only method you need to implement to check which role a user is in is GetRolesForUser. This will be used by the [Authorise] attribute to determine if a user can view. 

public class MyRoleProvider : RoleProvider
{
    public override string[] GetRolesForUser(string username)
    {
        var authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];

        if (authCookie != null && !String.IsNullOrEmpty(authCookie.Value))
        {
            var authTicket = FormsAuthentication.Decrypt(authCookie.Value);
            var roles = authTicket.UserData.Split(',')[1];
            return roles.Split(';');
        }

        throw new MemberAccessException("User not logged in");
    }
}

You then just need to tell your application to use your implementation of RoleProvider when the Authorise] Attribute kicks in. This is also done through the web.config inside the system.web element.

<roleManager defaultProvider="MyRoleProvider" enabled="true">
  <providers>
    <clear />
    <add name="MyRoleProvider" type="My.Namespace.MyRoleProvider" />
  </providers>
</roleManager>

Finally, once a user is logged in, should the entire site by https? Even areas that are open to everyone but being visited by the logged in user?

Ideally, yes. Once the user has logged in and you have set the FormsAuthentication cookie you need to protect that cookie from outside interception. To prevent this you should enforce the https protocol on all areas of your application. If a user's request is intercepted and a copy of the cookie is made then the 'man in the middle' can set the copy of the cookie in his browser and gain access to the protected areas of your site. With MVC you can use the [RequireHttpsAttribute] on any particular controllers or action methods similarly to the [Authorise] Attribute. In MVC4 there is an easy way to apply this 'Globally'. In your App_Start folder of your web project, find the FilterConfig class and include the following line to the RegisterGlobalFilters method:

filters.Add(new RequireHttpsAttribute());
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Many thanks for such an excellent answer, covers off all my points. Just 2 questions to ask, based on the last answer you gave - 1. if my site needs to be https only when user is logged in and not normally, how is this achieved? 2. Is it overkill to encrypt the contents of cookies as well as only making them available over https?
1. Perhaps I wasn't clear: your site should be entirely https if their is any login feature. This is to protect the credentials your user submits through the login form and to keep the encrypted cookie secure when they are moving through the site. 2. Its not overkill. Consider a logged in user who leaves their machine momentarily, a browser savvy person could inpesct the cookies and simply read the username and password.
Not that you should keep the encrypted password in the cookie, but you get the idea.
Ah ok - thanks for clarifying. I will investigate the possibility of making the entire site https. If this was not feasible, would encrypting the cookies without https, but a sufficient security step? As an aside, I am concerned regarding the performance overhead of encrypting all the cookies, so my other option is https the site (if feasible) and not encrypt the cookies?
I would prioritize cookie encryption over implementing https. Although if you have purchased a valid ssl certificate there is no reason you cannot do both. If you have the certificate it is arguably easier to enforce https all over the site than it is to enforce it only in certain areas (see my point in the answer about how to globally apply the RequireHttps attribute). And certainly do not be concerned about the overhead of encryption/decryption. Forms Authentication does a good job of optimizing this step and considering its importance I would consider the overhead completely negligible
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.