0

I'm going to be building this from scratch with C# and asp.net on Entity/MVC frameworks using LINQ.

We've opted to not use the built in membership authorization.

What I am trying to figure out is if I have all my bases covered or if I am forgetting something. Or if I am over complicating it.

Here is how I envision it.

I create a table that will house the user info, username, password. Move that to a model in my code.

I create an Authentication service in my code. Then when they log in I add the time to the table they logged in, and then on each page visit I check that time and if 30 minutes have elapsed I log them out and put them back on the login page otherwise I bring them to the page they requested.

Is this an ok way to go about it? Do I really need to add an authentication check to each page controller?

Which would Basically be. Services.Authentication.VerifyLogin()

If 30 minutes have passed log them out update table LoggedIn to false. If within 30 minutes. Update the LoggedInTime to current time.

Improve this question
12
  • How you storing password? Plain text? Commented Feb 20, 2014 at 17:17
  • No, I will hash it somehow. Commented Feb 20, 2014 at 17:22
  • So every time they visit a page you will update the time in the db? So if they are on a page for more than 30mins they will be logged out? Commented Feb 20, 2014 at 17:25
  • 7
    "table that will house the user info, username, password" fail. There are certain categories of task that I would run away from. This is one of them. Just use the existing membership. Getting this stuff right is really really hard. Don't underestimate the task you're setting yourself. Make every effort to use an existing, tested framework. Rolling your own will almost certainly go wrong. Commented Feb 20, 2014 at 17:25
  • @spender Thanks for the advice spender, but lets focus on the actual question which stated I will not be using the built in membership. And as a side note where would I store the password if not in the database? Commented Feb 20, 2014 at 17:29

2 Answers 2

Reset to default
2

I think what you want is to use an MVC authentication cookie, instead of checking your database for the time they logged in:

// sign in
FormsAuthentication.SetAuthCookie(username, false);
// sign out
FormsAuthentication.SignOut();

Ref. Custom Authentication and ASP.NET MVC

Ref. http://www.codeproject.com/Articles/578374/AplusBeginner-27splusTutorialplusonplusCustomplusF

Also, this is a good article on custom auth in MVC 4:

http://www.codeproject.com/Articles/601687/ASP-NET-MVC-4-Forms-Authentication-Customized

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

If you're using MVC, you won't have to "add an authentication check to each page controller", all you have to do is adding the [Authorize] attribute above the Actions that need authentication in your controllers and that's about it.

Here's an Authorization sample that might help you out:
http://www.asp.net/mvc/tutorials/mvc-music-store/mvc-music-store-part-7

Improve this answer

2 Comments

Thanks! Was hoping I would have to do it for every controller.
You have the possibility to add it on the class level too.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.