Post
Ask Question

Cookie Authentication With ASP.NET Core 2.0

Introduction

Authentication is an integral part of web security. ASP.NET Core provides multiple ways to implement authentication in a web application. We will be looking into such a technique - Cookie authentication in this article.

We will be creating a web application to register new users and then implement a login page which allows only the registered user to access the content. We will be using SQL server 2012 and ADO.NET for handling database part of our application.

Prerequisites
  • Install .NET Core 2.0.0 or above SDK from here.
  • Install the latest version of Visual Studio 2017 Community Edition from here.

Creating Table and Stored Procedures

We will be using a DB table to store the records of all users.

Open SQL Server and use the following script to create sysUser table.
  1. CREATE TABLE sysUser  
  2. (  
  3. FirstName VARCHAR(20) NOT NULL,  
  4. LastName VARCHAR(20) NOT NULL,  
  5. UserID VARCHAR(20) PRIMARY KEY,  
  6. UserPassword VARCHAR(20) NOT NULL  
  7. )   

Now, we will create stored procedures for registering a new user to our application and to validate the login information of a user.

To register a new user
  1. CREATE PROCEDURE spRegisterUser  
  2. (  
  3.     @FirstName VARCHAR(20),  
  4.     @LastName VARCHAR(20) ,  
  5.     @UserID VARCHAR(20) ,  
  6.     @UserPassword VARCHAR(20)   
  7. )  
  8. AS  
  9. BEGIN  
  10.   
  11.     DECLARE @result VARCHAR(10) ='Failed'
  12.   
  13.     IF NOT EXISTS(SELECT 1 FROM sysUser where UserID=@UserID)  
  14.     BEGIN     
  15.         INSERT INTO sysUser  
  16.         VALUES   
  17.         (   
  18.             @FirstName,@LastName,@UserID,@UserPassword  
  19.         )  
  20.           
  21.         SET @result= 'Success'  
  22.     END   
  23.   
  24.         SELECT @result AS Result  
  25. END  
To validate the login information of a user
  1. CREATE PROCEDURE spValidateUserLogin  
  2. (  
  3.     @LoginID VARCHAR(20) ,  
  4.     @LoginPassword VARCHAR(20)  
  5. )  
  6. AS  
  7. BEGIN  
  8.   
  9.     DECLARE @authentication VARCHAR(10)='Failed'  
  10.   
  11.     IF EXISTS(SELECT 1 FROM sysUser WHERE UserID=@LoginID AND UserPassword =@LoginPassword)  
  12.     BEGIN  
  13.         SET @authentication='Success'  
  14.     END  
  15.       
  16.     SELECT @authentication AS isAuthenticated  
  17.   
  18. END  

We are allowing only the unique User id for our application. Hence, if a user tries to register with an already existing User ID, this procedure will return ‘Failed’.

Now, our Database part has been completed. So, we will proceed to create the MVC application using Visual Studio.

Create MVC Web Application

Open Visual Studio and select File >> New >> Project.



After selecting the project, a "New Project" dialog will open. Select .NET Core inside Visual C# menu from the left panel. Then, select “ASP.NET Core Web Application” from available project types. Put the name of the project as CookieAuthDemo and press OK. Refer to this image.

 

After clicking on OK, a new dialog will open asking to select the project template. You can observe two drop-down menus at the top left of the template window. Select “.NET Core” and “ASP.NET Core 2.0” from these dropdowns. Then, select “Web application(Model-View-Controller)” template and press OK.

Now our project will open. You can observe in the solution explorer that we have Models, Views and Controllers folders already created. We will be adding our files to these folders only.

Adding the Model to the Application

Right click on Models folder and select Add >> Class. Name your class UserDetails.cs. This class will contain our User model properties. Add one more class file to Models folder. Name it as UserDetailsDataAccessLayer.cs . This class will contain our Database related operations.

Now, the Models folder has the following structure.
 
Open User.cs and put the following code in it. Since we are adding the required validators to the fields of User class, so we need to use System.ComponentModel.DataAnnotations at the top. Also, to mask the values typed in Password field, we have used [DataType(DataType.Password)] property.
  1. using System;  
  2. using System.Collections.Generic;  
  3. using System.ComponentModel.DataAnnotations;  
  4. using System.Linq;  
  5. using System.Threading.Tasks;  
  6.   
  7. namespace CookieAuthDemo.Models  
  8. {  
  9.     public class UserDetails  
  10.     {  
  11.         [Required]  
  12.         [Display(Name = "First Name")]  
  13.         public string FirstName { getset; }  
  14.   
  15.         [Required]  
  16.         [Display(Name = "Last Name")]  
  17.         public string LastName { getset; }  
  18.   
  19.         [Required]  
  20.         [Display(Name = "User ID")]  
  21.         public string UserID { getset; }  
  22.   
  23.         [Required]  
  24.         [Display(Name = "Password")]  
  25.         [DataType(DataType.Password)]  
  26.         public string Password { getset; }  
  27.     }  
  28. }  

We will be reading our connection string from appsettings.json file. So open your appsettings.json file and put the following code into it. Make sure to put your connection string.

  1. {  
  2.   "Logging": {  
  3.     "IncludeScopes"false,  
  4.     "LogLevel": {  
  5.       "Default""Warning"  
  6.     }  
  7.   },  
  8.   "ConnectionStrings": {  
  9.     "myConString""Your connection string here"  
  10.   }  
  11. }  
Now, open UserDataAccessLayer.cs and put the following code to handle database operations.
  1. using Microsoft.Extensions.Configuration;  
  2. using System;  
  3. using System.Collections.Generic;  
  4. using System.Data;  
  5. using System.Data.SqlClient;  
  6. using System.IO;  
  7.   
  8. namespace CookieAuthDemo.Models  
  9. {  
  10.     public class UserDataAccessLayer  
  11.     {  
  12.         public static IConfiguration Configuration { getset; }  
  13.   
  14.         //To Read ConnectionString from appsettings.json file  
  15.         private static string GetConnectionString()  
  16.         {  
  17.             var builder = new ConfigurationBuilder()  
  18.                 .SetBasePath(Directory.GetCurrentDirectory())  
  19.                 .AddJsonFile("appsettings.json");  
  20.   
  21.             Configuration = builder.Build();  
  22.   
  23.             string connectionString = Configuration["ConnectionStrings:myConString"];  
  24.   
  25.             return connectionString;  
  26.   
  27.         }  
  28.   
  29.         string connectionString = GetConnectionString();  
  30.   
  31.         //To Register a new user   
  32.         public string RegisterUser(UserDetails user)  
  33.         {  
  34.             using (SqlConnection con = new SqlConnection(connectionString))  
  35.             {  
  36.                 SqlCommand cmd = new SqlCommand("spRegisterUser", con);  
  37.                 cmd.CommandType = CommandType.StoredProcedure;  
  38.   
  39.                 cmd.Parameters.AddWithValue("@FirstName", user.FirstName);  
  40.                 cmd.Parameters.AddWithValue("@LastName", user.LastName);  
  41.                 cmd.Parameters.AddWithValue("@UserID", user.UserID);  
  42.                 cmd.Parameters.AddWithValue("@UserPassword", user.Password);  
  43.   
  44.                 con.Open();  
  45.                 string result = cmd.ExecuteScalar().ToString();  
  46.                 con.Close();  
  47.   
  48.                 return result;  
  49.             }  
  50.         }  
  51.   
  52.         //To Validate the login  
  53.         public string ValidateLogin(UserDetails user)  
  54.         {  
  55.             using (SqlConnection con = new SqlConnection(connectionString))  
  56.             {  
  57.                 SqlCommand cmd = new SqlCommand("spValidateUserLogin", con);  
  58.                 cmd.CommandType = CommandType.StoredProcedure;  
  59.   
  60.                 cmd.Parameters.AddWithValue("@LoginID", user.UserID);  
  61.                 cmd.Parameters.AddWithValue("@LoginPassword", user.Password);  
  62.   
  63.                 con.Open();  
  64.                 string result = cmd.ExecuteScalar().ToString();  
  65.                 con.Close();  
  66.   
  67.                 return result;  
  68.             }  
  69.         }  
  70.     }  
  71. }  

Our Models has been created. So, we will proceed to add controllers to our application.

Adding the Controller to the Application

Right click on Controllers folder and select Add >> New Item.

An “Add New Item” dialog box will open. Select Web from the left panel, then select “MVC Controller Class” from templates panel, and put the name as LoginController.cs. Press OK. This controller will handle the logic for Registering new user and login into the application.

 

Similarly, add one more controller, UserController.cs. This controller will contain a home page for user, which will be available to authorized users only.

Adding Views to the Application

To add views for our controller class, we need to create a folder inside Views folder with the same name as our controller and then add our views to that folder. Since we have two controllers for this application. Hence, we will be creating two folders inside views folder

Right-click on the Views folder, and then Add >> New Folder and name the folder as Login. Similarly, add one more folder User into the view folder.

Now, right-click on the Views/Login folder, and then select Add >> New Item.

An “Add New Item” dialog box will open. Select Web from the left panel, then select “MVC View Page” from templates panel, and put the name as RegisterUser.cshtml. Press OK.

 

Thus, we have created our first view. Similarly add one more view UserLogin.cshtml into Views/Login folder and UserHome.cshtml into Views/User folder.

Now, our Views folder will look like this,

 
Since our Views have been created, we will put codes in View and Controller for registration and login.

RegisterUser View

This view will be used to register a new user for our application.

Open RegisterUser.cshtml and put following code into it.

  1. @model CookieAuthDemo.Models.UserDetails  
  2. @{  
  3.     ViewData["Title"] = "UserLogin";  
  4. }  
  5. <h2>Register</h2>  
  6. <h4>New User</h4>  
  7. <hr />  
  8. <div class="row">  
  9.     <div class="col-md-4">  
  10.         @if (TempData["Success"] != null)  
  11.         {  
  12.             <p class="alert alert-success">@TempData["Success"]  <a asp-action="UserLogin">Click here to login</a></p>  
  13.         }  
  14.         @if (TempData["Fail"] != null)  
  15.         {  
  16.             <p class="alert alert-danger">@TempData["Fail"]</p>  
  17.         }  
  18.         <form asp-action="RegisterUser">  
  19.             <div asp-validation-summary="ModelOnly" class="text-danger"></div>  
  20.             <div class="form-group">  
  21.                 <label asp-for="FirstName" class="control-label"></label>  
  22.                 <input asp-for="FirstName" class="form-control" />  
  23.                 <span asp-validation-for="FirstName" class="text-danger"></span>  
  24.             </div>  
  25.             <div class="form-group">  
  26.                 <label asp-for="LastName" class="control-label"></label>  
  27.                 <input asp-for="LastName" class="form-control" />  
  28.                 <span asp-validation-for="LastName" class="text-danger"></span>  
  29.             </div>  
  30.             <div class="form-group">  
  31.                 <label asp-for="UserID" class="control-label"></label>  
  32.                 <input asp-for="UserID" class="form-control" />  
  33.                 <span asp-validation-for="UserID" class="text-danger"></span>  
  34.             </div>  
  35.             <div class="form-group">  
  36.                 <label asp-for="Password" class="control-label"></label>  
  37.                 <input asp-for="Password" class="form-control" />  
  38.                 <span asp-validation-for="Password" class="text-danger"></span>  
  39.             </div>  
  40.             <div class="form-group">  
  41.                 <input type="submit" value="Register" class="btn btn-default btn-primary" />  
  42.             </div>  
  43.         </form>  
  44.     </div>  
  45. </div>  
  46. <div>  
  47.     <a asp-action="UserLogin">Back to User Login</a>  
  48. </div>  
  49. @section Scripts {  
  50.     @{await Html.RenderPartialAsync("_ValidationScriptsPartial");}  
  51. }  
UserLogin View

This view will hold the Login form and redirects the user to user home page after successful login.

Open UserLogin.cshtml and put the following code into it. 

  1. @model CookieAuthDemo.Models.UserDetails  
  2. @{  
  3.     ViewData["Title"] = "UserLogin";  
  4. }  
  5.   
  6. <h2>User</h2>  
  7. <h4>Login</h4>  
  8. <hr />  
  9. <div class="row">  
  10.     <div class="col-md-4">  
  11.         @if (TempData["UserLoginFailed"] != null)  
  12.         {  
  13.             <p class="alert alert-danger">@TempData["UserLoginFailed"]</p>  
  14.         }  
  15.   
  16.         <form asp-action="UserLogin">  
  17.             <div asp-validation-summary="ModelOnly" class="text-danger"></div>  
  18.             <div class="form-group">  
  19.                 <label asp-for="UserID" class="control-label"></label>  
  20.                 <input asp-for="UserID" class="form-control" />  
  21.                 <span asp-validation-for="UserID" class="text-danger"></span>  
  22.             </div>  
  23.             <div class="form-group">  
  24.                 <label asp-for="Password" class="control-label"></label>  
  25.                 <input asp-for="Password" class="form-control" />  
  26.                 <span asp-validation-for="Password" class="text-danger"></span>  
  27.             </div>  
  28.             <div class="form-group">  
  29.                 <input type="submit" value="Login" class="btn btn-default btn-success" />  
  30.                 <a asp-action="RegisterUser" class="btn btn-info">SignUp</a>  
  31.             </div>  
  32.         </form>  
  33.     </div>  
  34. </div>  
  35. @section Scripts {  
  36.     @{await Html.RenderPartialAsync("_ValidationScriptsPartial");}  
  37. }  
Login Controller

To handle the business logic of User registration and login, open LoginController.cs and put following code into it
  1. using System;  
  2. using System.Collections.Generic;  
  3. using System.Linq;  
  4. using System.Security.Claims;  
  5. using System.Threading.Tasks;  
  6. using CookieAuthDemo.Models;  
  7. using Microsoft.AspNetCore.Authentication;  
  8. using Microsoft.AspNetCore.Mvc;  
  9.   
  10. namespace CookieAuthDemo.Controllers  
  11. {  
  12.     public class LoginController : Controller  
  13.     {  
  14.         UserDataAccessLayer objUser = new UserDataAccessLayer();  
  15.   
  16.         [HttpGet]  
  17.         public IActionResult RegisterUser()  
  18.         {  
  19.   
  20.             return View();  
  21.         }  
  22.   
  23.         [HttpPost]  
  24.         public IActionResult RegisterUser([Bind] UserDetails user)  
  25.         {  
  26.             if (ModelState.IsValid)  
  27.             {  
  28.                 string RegistrationStatus = objUser.RegisterUser(user);  
  29.                 if (RegistrationStatus == "Success")  
  30.                 {  
  31.                     ModelState.Clear();  
  32.                     TempData["Success"] = "Registration Successful!";  
  33.                     return View();  
  34.                 }  
  35.                 else  
  36.                 {  
  37.                     TempData["Fail"] = "This User ID already exists. Registration Failed.";  
  38.                     return View();  
  39.                 }  
  40.             }  
  41.             return View();  
  42.         }  
  43.   
  44.         [HttpGet]  
  45.         public IActionResult UserLogin()  
  46.         {  
  47.   
  48.             return View();  
  49.         }  
  50.   
  51.         [HttpPost]  
  52.         [ValidateAntiForgeryToken]  
  53.         public async Task<IActionResult> UserLogin([Bind] UserDetails user)  
  54.         {  
  55.             ModelState.Remove("FirstName");  
  56.             ModelState.Remove("LastName");  
  57.   
  58.             if (ModelState.IsValid)  
  59.             {  
  60.                 string LoginStatus = objUser.ValidateLogin(user);  
  61.   
  62.                 if (LoginStatus == "Success")  
  63.                 {  
  64.                     var claims = new List<Claim>  
  65.                     {  
  66.                         new Claim(ClaimTypes.Name, user.UserID)  
  67.                     };  
  68.                     ClaimsIdentity userIdentity = new ClaimsIdentity(claims, "login");  
  69.                     ClaimsPrincipal principal = new ClaimsPrincipal(userIdentity);  
  70.   
  71.                     await HttpContext.SignInAsync(principal);  
  72.                     return RedirectToAction("UserHome""User");  
  73.                 }  
  74.                 else  
  75.                 {  
  76.                     TempData["UserLoginFailed"] = "Login Failed.Please enter correct credentials";  
  77.                     return View();  
  78.                 }  
  79.             }  
  80.             else  
  81.                 return View();  
  82.   
  83.         }  
  84.     }  
  85. }  

To handle database operations, we have created an object of UserDataAccessLayer class inside the LoginController class.

If the user tries to register with a User id which is already registered into the database then we will display an error message on the view. This error message is passed on to the view using Tempdata.

Since we are using the same model for both, registering a new user and login into the application, but we do not require Firstname and LastName property for Login, hence we have removed those value from our model using ModelState.Remove inside UserLogin method.

If the validation is successful from the database end, then we will create a Claims list which will store the UserID of the user into the Name claim inside the cookie. This cookie data will be encrypted by default. Then we will build an identity and principal and then set the cookie using the SignInAsync method.

UserHome View

This is a dummy home page which will be accessed by authorized users only.

Open UserHome.cshtml and put the following code into it.

  1. @{  
  2.     ViewData["Title"] = "UserHome";  
  3. }  
  4. <ul class="nav navbar-nav navbar-right">  
  5.     <li>  
  6.         <a asp-action="Logout">Sign Out</a>  
  7.     </li>  
  8. </ul>  
  9.   
  10. <h2>UserHome</h2>  
  11. <h3>This is the user home page</h3>  

Open UserController.cs and put the following code into it

  1. using System;  
  2. using System.Threading.Tasks;  
  3. using Microsoft.AspNetCore.Authentication;  
  4. using Microsoft.AspNetCore.Authorization;  
  5. using Microsoft.AspNetCore.Mvc;  
  6.   
  7. namespace CookieAuthDemo.Controllers  
  8. {  
  9.     [Authorize]  
  10.     public class UserController : Controller  
  11.     {  
  12.         public IActionResult UserHome()  
  13.         {  
  14.             return View();  
  15.         }  
  16.   
  17.         [HttpGet]  
  18.         public async Task<IActionResult> Logout()  
  19.         {  
  20.             await HttpContext.SignOutAsync();  
  21.             return RedirectToAction("UserLogin""Login");  
  22.         }  
  23.     }  
  24. }  

The [Authorize] attribute signifies that this controller will be accessed only after successful authentication.

When an authentication request is made then, the middleware will check for the existence of authentication cookie which was set while login. If the cookie is found then the login is successful and the user will be redirected to UserHome view. But if the cookie is not present then the user will be redirected to the Login page (as set up using options.LoginPath in Startup.cs in next section). The user cannot access the UserHome view in this case.

We have also added a Logout method which will clear the authentication cookie and sign out the user from the application by redirecting to our login page.

Configuring Startup.cs file 

We will configure our application to use cookie authentication in Startup.cs file. Put the following code into this file.

  1. using System;  
  2. using System.Threading.Tasks;  
  3. using Microsoft.AspNetCore.Authentication.Cookies;  
  4. using Microsoft.AspNetCore.Builder;  
  5. using Microsoft.AspNetCore.Hosting;  
  6. using Microsoft.Extensions.Configuration;  
  7. using Microsoft.Extensions.DependencyInjection;  
  8.   
  9. namespace CookieAuthDemo  
  10. {  
  11.     public class Startup  
  12.     {  
  13.         public Startup(IConfiguration configuration)  
  14.         {  
  15.             Configuration = configuration;  
  16.         }  
  17.   
  18.         public IConfiguration Configuration { get; }  
  19.   
  20.         // This method gets called by the runtime. Use this method to add services to the container.  
  21.         public void ConfigureServices(IServiceCollection services)  
  22.         {  
  23.             services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)  
  24.                     .AddCookie(options =>  
  25.                     {  
  26.                         options.LoginPath = "/Login/UserLogin/";  
  27.   
  28.                     });  
  29.             services.AddMvc();  
  30.         }  
  31.   
  32.         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.  
  33.         public void Configure(IApplicationBuilder app, IHostingEnvironment env)  
  34.         {  
  35.             app.UseAuthentication();  
  36.   
  37.             if (env.IsDevelopment())  
  38.             {  
  39.                 app.UseBrowserLink();  
  40.                 app.UseDeveloperExceptionPage();  
  41.             }  
  42.             else  
  43.             {  
  44.                 app.UseExceptionHandler("/Home/Error");  
  45.             }  
  46.     
  47.             app.UseStaticFiles();  
  48.   
  49.             app.UseMvc(routes =>  
  50.             {  
  51.                 routes.MapRoute(  
  52.                     name: "default",  
  53.                     template: "{controller=Login}/{action=UserLogin}/{id?}");  
  54.             });  
  55.         }  
  56.     }  
  57. }  

Inside the ConfigureServices method we are setting up cookie authentication service. We have initialized a cookie authentication options, options.LoginPath property. This indicates the page where user will be redirected if the authentication fails, which is our login page in this case.

You can learn more about cookie authentication options here

We have also added app.UseAuthentication() in the Configure method and also set up the default route to our login page inside app.UseMvc method.

And now our application is ready. Press F5 to launch the application.

It will open a login page as shown in the image below. Here you can see the login form as well as two buttons for Login and SignUp


First, we will register a new user. Click on SignUp button; you will be redirected to the RegisterUser view displaying a user registration form.

Enter all the user details and click on Register button to register a new user.

 
All the fields of this page are required. So, if we miss the data in any field, the required field validation will be invoked.

 
If the user registration is successful, then we will be prompted with a success message.

 

If we try to register with an UserID which is already registered, then we will be prompted with an error message.

 

After the successful registration, navigate back to the User Login page by clicking on Back to User Login link at the bottom of Register user form. Both the fields in the login form are required. If we miss data in any field then required field validation error message will be displayed.

 

If the user enters the wrong credentials, then an error message will be displayed.

 
After providing the correct credentials click on login button and you will be redirected to User Home Page.

 

You can also observe a Sign Out link in the top right corner. Clicking on this will sign you out of the application and you be redirected to Login page.

If you try to access http://localhost:50656/user/userhome page without login into the application, you will be redirected back to the Login page as the user home page is only accessible after successful authentication.

Conclusion

We have implemented Cookie authentication in an ASP.NET Core 2.0 application. We have also created a user registration form to register a new user to our application. Please refer to the attached code for better understanding.


Similar Articles