OWIN and ASP.NET Identity (edit)

OWIN cookie authentication middleware for the ASP.NET developer

https://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/

A Guide to Claims-Based Identity and Access Control (2nd Edition)

https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff423674(v=pandp.10)?redirectedfrom=MSDN

OWIN

http://www.codedigest.com/posts/1/what-is-owin-a-beginners-guide

http://www.codedigest.com/posts/2/creating-our-first-owin-based-application

Explain the ASP.NET Identity Cookie Authentication Timeouts

https://www.jamessturtevant.com/posts/ASPNET-Identity-Cookie-Authentication-Timeouts/

Session & Timeout

https://markfreedman.com/handling-session-and-authentication-timeouts-in-asp-net-mvc/

https://vxcompany.com/2018/12/13/cookies-tokens-and-session-lifetime-with-identity-server/ (work with Hybrid App)

ASP.NET MVC 4

https://dotnetcodr.com/2013/02/25/claims-based-authentication-in-mvc4-with-net4-5-c-part-1-claims-transformation/

https://dotnetcodr.com/2013/02/28/claims-based-authentication-in-mvc4-with-net4-5-c-part-2-storing-authentication-data-in-an-authentication-session/

https://dotnetcodr.com/2013/03/04/claims-based-authentication-in-mvc4-with-net4-5-c-part-3-claims-based-authorisation/

ASP.NET Identity with FormsAuthentication in ASP.NET WebForms

https://www.red-gate.com/simple-talk/dotnet/asp-net/handmade-claims-based-authentication-for-old-fashioned-asp-net-sites/

ASP.NET Identity and OWIN Cookie Authentication are claims-based system

1. Microsoft.Owin
2. Microsoft.Owin.Host.SystemWeb
3. Microsoft.Owin.Security.Cookies
4. Owin
5. Microsoft.AspNet.Identity
6. System.Security.Claims.ClaimsIdentity

Lời tựa

Session timeout Là khoảng thời gian lớn nhất có thể giữa hai lần người dùng gửi yêu cầu (request) lên server mà session của người dùng chưa bị hủy. Vấn đề thường gặp là Session hay bị mất khi đang xử lý thông tin trước khi Submit form. Bài viết này xin giới thiệu một giải pháp cho vấn đề session timeout trong ASP.NET

Snippet: Startup.cs (OWIN Startup class)

        public void Configuration(IAppBuilder app)
        {
            int sessionTimeout = Convert.ToInt32(ConfigurationManager.AppSettings["SessionTimeout"]);
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                CookieSecure = CookieSecureOption.Never,
                SlidingExpiration = false,
                ExpireTimeSpan = TimeSpan.FromMinutes(sessionTimeout)
            });
        }

Snippet: AccountController.cs

        [HttpPost]
        [AllowAnonymous]
        public ActionResult Login(string login, string password)
        {
            Logger.Log.Info("AccountController.Login (HTTP.POST) called.");
 
            if ((login == "admin") && (password == "123"))
            {
                var claims = new List<Claim>();
                claims.Add(new Claim(ClaimTypes.Name, "admin"));
                claims.Add(new Claim(ClaimTypes.Role, "admin"));
                claims.Add(new Claim(ClaimTypes.Email, "admin@abc.com"));
                var id = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie);
 
                var ctx = Request.GetOwinContext();
                var authenticationManager = ctx.Authentication;
                authenticationManager.SignIn(id);
 
                return RedirectToAction("Index", "Home");
            }
            else
            {
                ModelState.AddModelError("IncorrectUser", "Please, use correct login and password.");
                return View();
            }
        }
 
        public ActionResult Logout()
        {
            Logger.Log.Info("AccountController.Logout (HTTP.GET) called.");
 
            var ctx = Request.GetOwinContext();
            var authenticationManager = ctx.Authentication;
            authenticationManager.SignOut();
 
            return RedirectToAction("Login");
        }

ApplicationAuthorizeAttribute.cs

    public class ApplicationAuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute
    {
        public ApplicationAuthorizeAttribute()
        {
            Logger.Log.Info("ApplicationAuthorize constructor called.");
        }
 
        protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
        {
            Logger.Log.Info("ApplicationAuthorize.HandleUnauthorizedRequest called.");
 
            var httpContext = filterContext.HttpContext;
            var request = httpContext.Request;
            var response = httpContext.Response;
            var user = httpContext.User;
 
            if (request.IsAjaxRequest())
            {
                if (user.Identity.IsAuthenticated == false)
                {
                    response.StatusCode = (int)HttpStatusCode.Unauthorized;
                }
                else
                {
                    response.StatusCode = (int)HttpStatusCode.Forbidden;
                }
 
                response.SuppressFormsAuthenticationRedirect = true;
                response.End();
            }
 
            base.HandleUnauthorizedRequest(filterContext);
        }
    }

OWIN startup class

Snippet

ClaimsPrincipal identity = (ClaimsPrincipal)Thread.CurrentPrincipal;
IEnumerable<Claim> claims = identity.Claims;

Snippet

IOwinContext ctx = Request.GetOwinContext();
ClaimsPrincipal user = ctx.Authentication.User;
IEnumerable<Claim> claims = user.Claims;

Snippet

var identity = (ClaimsIdentity)User.Identity;
IEnumerable<Claim> claims = identity.Claims;

Usage:

Page.User
Controller.User

string username = User.Identity.Name;
bool isAdmin = User.IsInRole("admin");

HttpContext.User
Thread.CurrentPrincipal
ClaimsPrincipal.Current

claims : [
    {"type": "name", "value": "Jon Snow"},
    {"type": "home", "value": "Winterfell, The North, Westeros"},   
    {"type": "email", "value": "jon@nightswatch-veterans.org"},
    {"type": "role", "value": "veteran;deserter;"},
    {"type": "department", "value": "none"},    
    {"type": "allowEntry", "value": "true"},
    {"type": "access", "value": "castleblack;eastwatch;"}
]

Snippet

    public enum CookieSecureOption
    {
        SameAsRequest,
        Never,
        Always
    }