Geek Answers Handbook

Asp.net Mvc FormsAuth with LogonUserControl in Site.Master

We have an email confirmation page for registration, which can be deleted using the "once" link to activate your account.

The nature of the site is such that we can allow this link to automatically register the user. This requirement is pending (at my request!).

The following situation is a bit confusing:

  • The user follows the confirmation link in his letter
  • This applies to the Confirm controller.

  • All that is good, the user is automatically registered using:

    FormsAuth.SignIn(user.UserName,false);

  • The view is returned from the controller

The view uses the main page, which contains a partial view, which is a component of LogonUserControl.ascx . Inside the component there is the following code (it comes from the asp.net mvc project template):

 if (Request.IsAuthenticated) { /*foo*/ }

When the page is displayed, Request.IsAuthenticated returns false, despite the fact that the user signs it on the controller.

I wonder why this might be. Has the wizard been generated by the time the FormsAuth.SignIn method is called, or is it using the Request object for this verification, because it was not authenticated at the time the Request was received?

EDIT: By default, LogOn uses redirection by default rather than returning a view. This, of course, will solve the problem, however, I am interested in why the script above does not work.

+4
source share
1 answer

This does not work because the request that already occurred before your action started did not authenticate. The request is either authenticated or not; he cannot begin life as unauthenticated and authenticate in the middle of the action. An authenticated request is one that was sent using a valid authentication ticket. Since the login request did not include this, it is not authenticated and cannot be authenticated.

However, when redirecting, the browser issues a new request, which, of course, comes with a valid authentication ticket, usually in the form of a cookie.

By the way, redirection is what needs to be done in this case. Your username is POST, and you should use the Post / Redirect / Get template. Imagine that the login page returns the user to the websiteโ€™s home page. If you return the view instead of being redirected to the home page, then when the user presses F5 to refresh the page, the browser will warn them that they are going to resend their login credentials, which you do not want. Performing the redirect makes the browser for GET for the home page, so the user will not be warned if they press F5.

+3
source

More articles:


All Articles