1

I have a ASP.NET MVC website.

I don't really manage users, but I do a login to an external API and then I store a "ASPXFORMSAUTH" cookie.

It's a WCF service. In my controller, I call :

MyWcfServiceClient.Login()

In the AfterReceiveReply, I store the response of the service in a variable :

cookie = httpResponse.Headers[HttpResponseHeader.SetCookie];

Then In the controller, I get this cookie and store it using :

Response.Cookies.Add(cookie);

I'm a beginner with ASP.NET MVC, but can I use the [Authorize] attribute to allow the access to the controllers methods only if the request contains this cookie ? And [AllowAnonymous] on the methods before the API login.

EDIT :

So it should work just adding the [Authorize] attribute ?

I'm calling the controller method using ajax, and the value of Request.Headers["Cookie"] is .ASPXAUTH=1D415AF723......

But I get the ajax error callback...

Am I missing something ?

Improve this question
8
  • 2
    That's exactly how the AuthorizeAttribute works. Commented Aug 13, 2014 at 8:17
  • What exact error are you getting? Commented Aug 13, 2014 at 8:35
  • 1
    Are you manually handling the authentication protocol here? Just re-reading your question you mention "I do a login to an external API then I store a ASPXFORMSAUTH cookie". Commented Aug 13, 2014 at 8:37
  • 1
    Assuming you are using Forms Authentication here, unfortunately this doesn't cater for Ajax requests out the box. The main problem being what you want is a 403 response from the server if you haven't authenticated yet but instead what you would get down is most likely a 302 and the login page. To get around this problem the general solution is to implement your own custom AuthorizeAttributewhich handles ajax requests specifically - see this example Commented Aug 13, 2014 at 8:48
  • 1
    @Shad I don't unfortunately, however luckily for you the .NET framework is completely open source now so understanding how it works is a lot easier these days :) Commented Jul 2, 2023 at 15:49

2 Answers 2

Reset to default
2

[Authorize] will allow access to authorized users only.

You can either put it at the top of the controller so it applies to all functions on the controller or in front of individual functions. its more powerful than that though as you can allow only specific users or roles. documentation here

The allow [AllowAnonymous] is used when you have added some sort of Authorize to the whole controller but want to allow access for all to a function on the controller. its not required if the controller doesn't have an authorize attribute on it. example here I think the default MVC account in visual studio uses this on the account controller for password rest and login.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

I'm not fully sure since I haven't tried it before. But if you set the correct cookies (the default aspx auth cookie) the AuthorizeAttribute should prevent you from reaching the controller if you aren't authorized. Have you tried using the authorize attribute on a controller and logging in using your external API? Because it might just work out of the box.

Another option is to extend the default attribute by making your own. See the following articles for more information about this.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.