Cookie based authentication explained in ASP.NET Core

cookie_auth

Cookie based authentication explained in ASP.NET Core

Cookie based authentication can be implemented in ASP.NET Core using the built in Authentication service and Authentication middleware

// Add Cookie Authentication service
builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.LoginPath = "/Account/Login"; // Specify the path to the login page
        options.AccessDeniedPath = "/Account/AccessDenied"; // Specify the path for access denied
        options.ExpireTimeSpan = TimeSpan.FromMinutes(60); // Set the cookie expiration time
        options.SlidingExpiration = true; // Enable sliding expiration
    });
  • AddAuthentication adds required services for authentication. It also specifies the default authentication scheme to be used for authentication. In this example, the default scheme is CookieAuthenticationDefaults.AuthenticationScheme
  • AddCookie provides an authentication handler (that uses cookies) for the authentication scheme.
  • Authenticaiton middleware is added to the request pipeline using the following
app.UseAuthentication();

auth middleware arch

  • The middleware uses the DI container’s authentication service to determine the logged in user details from the request cookie and populates the User’s ClaimsPrincipal in HttpContext.User
  • Now the subsequent middleware (like razor pages, controllers etc) can figure out the logged in user details to grant or revoke access

  • User will submit credentials and complete required challenges like 2 factor authentication in the login page
  • The user credentials will be verified from a database a ClaimsPrincipal will be created to represent the logged in user
  • HttpContext.SignInAsync sets the logged in user details (in the form of a ClaimsPrincipal) in the cookie
await HttpContext.SignInAsync(
    CookieAuthenticationDefaults.AuthenticationScheme,
    new ClaimsPrincipal(claimsIdentity),
    authProperties);

Signout logged in user

await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
  • HttpContext.SignOutAsync expires the cookie that contains the logged in user details (ClaimsPrincipal) and makes the HttpContext.User as null

Access logged in user details

  • After the authentication middleware figures out the logged in user details from the cookie, the user details (ClaimsPrincipal) can be accessed via HttpContext.User object
  • For example
    • HttpContext.User?.Identity?.IsAuthenticated can be used to determine if a request is authenticated
    • HttpContext.User.Identity.Name can be used to determine the logged in user name

References

Location: Mumbai, Maharashtra, India

Comments

Post a Comment

Popular posts from this blog

ClaimsPrincipal, ClaimsIdentity, Claims explained in dotnet authentication

Image
claimsprincipal_dotnet Authentication means identifying a subject (user, external application etc) ASP.Net Core Identity is a framework that uses claims based authentication to authenticate users Key concepts in Claims-based authentication Claim Claim is a statement about the subject (user) being authenticated It is a key value pair (like username=John is a claim, email=john1543@gmail.com is a claim, userId=236 is a claim) A claim can have an issuer (for example: userId=236 as per system , date of birth=1st-Jan-2006 as per Gmail ; here system and Gmail are the issuers) ClaimsIdentity ClaimsIdentity is a collection of claims of the subject (user) For example, driving license of a subject (user) can be a ClaimsIdentity that has claims like name, photo, date of birth, address etc. Passport can be a ClaimsIdentity that has claims like name, place of birth, photo, nationality, permanent address etc ClaimsIdentity also has a string property called Authenti...
Read more

Manage packages in dotnet applications

Image
dotnet_packages By using packages , third party logic can be used in dotnet applications Packages declaration in csproj file The external packages used by a project are declared in its csproj file like the following The packages will be downloaded and linked as per the csproj package references during the restore or build process Browse Nuget packages online Nuget packages can searched online at https://www.nuget.org/PACKAGES Manage packages from dotnet cli Install / update a package command - dotnet add <PROJECT_FOLDER> package <PACKAGE_NAME> -v <VERSION> The following command adds/updates a package in a project. If the package is already present, it will be updated to the latest version dotnet add package Microsoft.Data.Sqlite Install a specific version using -v flag like the following dotnet add package Microsoft.Data.Sqlite -v 8.0.10 List all packages in a project command - dotnet list <PROJECT_FOLDER> package ...
Read more

Implicit usings, top level statements, file scoped namespaces in dotnet

implicit usings Implicit usings = no repeated using statement in all files With implicit usings feature in a C# project, common using statements are automatically added by the compiler in all the C# files. For example using System; statement is not required to run the dotnet console application as shown below Console . WriteLine ( "Hello World!" ) ; Additional implicit usings can be declared in a C# project with global usings statements in any one of the project’s C# files as shown below. global using Ardalis . GuardClauses ; global using MediatR ; global using Project2 . Utils ; Existing implicit usings can be removed or included in the .csproj file of the C# project as shown below < ItemGroup > < Using Remove = " System.Threading.Tasks " /> < Using Include = " System.Math " /> </ ItemGroup > The implicit usings added in a C# project is based on the project type as sh...
Read more