0

I have an MVC 5 site (based on nopCommerce), and I need to force all users to log in. The way I've done it in the past in other languages was to check in the page header (so it's on every page) if the user is logged in, and redirect to the login page if they aren't. I don't know the proper way to accomplish this in MVC, however. Other answers I found said that redirection is not a thing to do in MVC, which is fine, but I can't figure out how to properly accomplish this. How do I redirect all unauthorized users to a login page?

vaindil
  • 7,536
  • 21
  • 68
  • 127
  • 1
    check out this. you'll want to make sure you authorize every request: http://stackoverflow.com/questions/27024822/adding-authorization-header-with-access-token-for-every-request-using-mvchandler – Glenn Ferrie Oct 13 '15 at 18:03

3 Answers3

6

you can add "AuthorizeAttribute" in "RegisterGlobalFilter" in App_Start like below :

public class FilterConfig
{
    public static void RegisterGlobalFilter(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new AuthorizeAttribute());
    }
}

and in Application_Start in Global.asax you should register this filter :

    protected void Application_Start()
    {
        FilterConfig.RegisterGlobalFilter(GlobalFilters.Filters);

         .
         .
         .
    }

and every Controller which you dont need to user registeration, you can use "AllowAnonymous" Attribute over Action in Controller Like this:

[AllowAnonymous]
public ActionResult Login()
{
    //do something
}

for more information please follow this Link

Iraj
  • 1,492
  • 5
  • 18
  • 42
3

You need to use Authorize attribute.

About the redirection, from the MSDN:

If an unauthorized user tries to access a method that is marked with the Authorize attribute, the MVC framework returns a 401 HTTP status code. If the site is configured to use ASP.NET forms authentication, the 401 status code causes the browser to redirect the user to the login page.

So, you can apply a redirection to your login view in the web.config, or if you're using the ASP.NET forms authentication then it should redirect as you want to the login page.

There are four ways of implementing Authorize attribute, globally, per controller, per controller method or per view.

Globally:

You can add "AuthorizeAttribute" in "RegisterGlobalFilter" in App_Start like below:

public class FilterConfig
{
    public static void RegisterGlobalFilter(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new AuthorizeAttribute());
    }
}

and in Application_Start in Global.asax you should register this filter:

protected void Application_Start()
{
    FilterConfig.RegisterGlobalFilter(GlobalFilters.Filters);

    . . .
}

Per controller:

[Authorize] 
public class AccountController : Controller
{
    . . .
}

Per controller method:

public class AccountController : Controller
{
    . . .

    [AllowAnonymous]
    public ActionResult Register() { . . . }

    [Authorize]
    public ActionResult Manage() { . . . }

    . . .
}

Per view:

<!-- With razor syntax -->

<script type="text/javascript>
    @if(!Request.IsAuthenticated) {
        window.location.href = redirectURL;
    }
</script>

<!-- Without razor syntax -->

<script type="text/javascript>  
    <% if(!Request.IsAuthenticated) { %>
        window.location.href = redirectURL;
    <% } %>
</script>

Global method by Iraj answer.

Ciro Pedrini
  • 4,135
  • 1
  • 11
  • 17
  • If I understand correctly, this would require adding `[Authorize]` to every single view's controller function, which would be way too much for this site. – vaindil Oct 13 '15 at 18:13
  • Take a look at this: http://stackoverflow.com/a/22597699/4848267. – Ciro Pedrini Oct 13 '15 at 18:14
1

if you want to authorize all controllers you can do this...

put in Application_Start in Global.asax

GlobalFilters.Filters.Add(new AuthorizeAttribute());
Amin Seifi
  • 58
  • 1
  • 6