Authentication plays an essential role in website security. ASP.NET Core provides various ways to authenticate a web application. In this article, we will see simple cookie authentication and how to implement it to the web application.
First, find the ConfigureServices method in the Startup.cs file and add the following code in the ConfigureServices method just before services. AddMvc() method to create authentication middleware services. Also, include Microsoft.AspNetCore.Authentication.Cookies Package.
In the above code, CookieAuthenticationDefaults.AuthenticationScheme is passed to AddAuthentication() to set the default authentication scheme. Then AddCookie() method configures the authentication. This method has LoginPath option. It will redirect to the login page when the user attempts to access the page, which requires authentication. Also, it will append the requested page’s URL to the login URL.
For example, the following is a URL to access the Index page but it requires authentication. https://www.example.com/Index
When the user enters the URL in the browser address box, it will redirect to the Login page with the ReturnUrl query string. The ReturnUrl will point to the user requested Index page. The below is an example of a Login page URL which has been redirected by the authentication process. https://www.example.com/Login?ReturnUrl=%2FIndex
Once the login provides the sign-in identity, the browser redirects to the requested page.
AddRazorPagesOptions helps to control the access of the razor pages. From the above code, the AuthorizeFolder convention will add the authorize filter to the pages under the specific folder. Here AuthorizeFolder passes the root folder path(“/”) so it will add the authorize filter to all the page. And AllowAnonymousToPage convention passes the Login page path(“/Login”) parameter. So anyone can access the login page, it does not require any authentication.
Add app.UseAuthentication() method before app.UseMvc() method in the Configure() method. This will add authentication capabilities to the application.
The following is a razor page to get the credential information from the user. It has asp-validation-summary to display a summary of the validation message.
Below code is the PageModel code. Here [BindProperty] attribute is added in LoginData class. So that the ASP.NET model binding will bind the properties with the HTTP request. For more info about model binding check this Model Binding in ASP.NET Core article. Here, the username and password are checked to ensure whether the user is registered or not.
For example purpose, the username and password are hard-coded with the common user name admin and password as the password. But in the real application, get the credentials from the database and check with the username and password.
ClaimsPrincipal has been used to hold the cookie information. In the following code, the claim list stores Name Identifier and Name. Then, SignInAsync method signs the specified user. After the login, the application will redirect to the Index page
SignOutAsync() helps to sign out the application. It will sign out the applicant and also clear the cookies.
This article explains simple cookie authentication without identity. If you have any comments, leave it in the comment text box below.