Answer the question
In order to leave comments, you need to log in
How to implement custom authentication and authorization in ASP.NET MVC 5?
Hello.
For a long time I have been using the authorization system from MS ( ASP.NET Identity 2.0 ), ASP.NET MVC gurus speak very badly about it, and I myself have found my jambs for a long time:
1. Very strong binding to SQL-Server - it is difficult to change the base . And at the moment the system is updated every two months, which makes it necessary to rewrite other people's implementations for new ones, especially NoSQL.
2. Doesn't allow adding own attributes to the collection (Claims doesn't count).
3.Does not check access when requested, i.e. the check is only based on the issued cookies and their date. If I log in from two browsers and change the password in the second browser, then the session in the first browser remains valid - the user can safely scroll through the secure pages of the site until the Nth time has passed. But the option to set the check time to a short time has its drawbacks, the obvious one is: sometimes you have to press Logout several times to make it work. :D
I myself have seen only 1 project closed from an experienced developer (he checks via Application_BeginRequest) and a few articles on the net (via BaseController and IPrincipal). And in each I miss something, and which one is better to use?
ASP.NET MVC gurus, please share your authentication and authorization implementations, or point me to what you think is the best article that describes a good and flexible authorization system. Preferably under MVC 5.
Thank you.
Answer the question
In order to leave comments, you need to log in
What do you mean by
Does not allow adding custom attributes to the collectionWhat collection do you mean?
Doesn't check access when requested? And I would also like to hear from the respondents what exactly is badly done in Identity? Personally, I don't understand why in IdentityUser 2.0
public class IdentityUser : IUser
{
...
public virtual ICollection<IdentityUserRole> Roles { get; }
...
}
<code>
роли пользователя представлены не в виде коллекции ролей, а в виде связывающих сущностей
<code>
public class IdentityUserRole<TKey>
{
public IdentityUserRole();
public virtual TKey RoleId { get; set; }
public virtual TKey UserId { get; set; }
}
<code>
Try to use universal providers by adding Micrrosoft.AspNet.Providers... As for me, it is more convenient and easy to redefine... I also dislike Identity... A little too smart.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question