Walkthrough: Using Forms Authentication in ASP.NET MVC

Many Web applications require a way to restrict access to some resources (such as specific pages) so that those resources are accessible only to authenticated users. The default Web application project template for ASP.NET MVC provides a controller, data models, and views that you can use to add ASP.NET forms authentication to your application. The built-in functionality lets users register, log on and off, and change their password. For many applications, this functionality provides a sufficient level of user authentication.

This walkthrough shows you the functionality that is provided by default for ASP.NET forms authentication in an ASP.NET MVC application. The walkthrough illustrates the following tasks:

  • How to create an ASP.NET MVC application that contains built-in functionality for authentication.

  • How to use built-in features to create a new user account.

  • How logged-in users can change their password.

  • How to restrict access to specific views so that only authenticated (logged-in) users can see them.

Prerequisites

In order to complete this walkthrough, you will need:

  • Microsoft Visual Studio 2008 Service PackĀ 1 or Visual Web Developer 2008 Express Edition Service PackĀ 1, or a later version of Visual Studio.

  • The ASP.NET MVC 2 framework. If you have installed Visual Studio 2010, the ASP.NET MVC 2 is already installed on your computer. To download the most up-to-date version of the framework, see the ASP.NET MVC download page.

This walkthrough assumes that you are familiar with ASP.NET MVC. For more information, see ASP.NET MVC 2.

Creating an ASP.NET MVC Application

To start, create a new ASP.NET MVC Web application.

To create an ASP.NET MVC application

  1. On the File menu, click New Project.

  2. In the New Project dialog box under Project types, expand Visual Basic or Visual C#, and then click Web.

  3. Under Visual Studio installed templates, select ASP.NET MVC 2 Web Application.

  4. In the Name box, type MvcAuthentication.

  5. In the Location box, enter the name of the project folder.

  6. Select Create directory for solution.

  7. Click OK.

  8. In the Create Test Project dialog box, select No, do not create a unit test project, and then click OK.

    Note

    If you are using the Standard edition of Visual Studio, the Create Unit Test Project dialog box is not displayed.

    The new MVC application project is created.

Account Controller, Models, and Views

In the Controllers folder, the AccountController controller class contains action methods that can register a new user, log the user in and out of the application, and change the password of an existing user. In the Views folder, the Accounts folder contains views that support these actions. In the Models folder, the AccountModels class contains classes that define the data objects, services, and validation routines that support forms authentication.

In the Views folder, the Shared subfolder contains a control named LogOnUserControl.ascx that indicates whether the user is logged on. The control is displayed at the top of the master-page view. When the user is not logged on, the control displays "Log On" and links to the LogOn view. When the user is logged on, the control displays a welcome message that includes the user name and a link that lets the user log off.

Registering a User

In this part of the walkthrough, you will use the built-in features of the application to register a new user and examine how the user information is stored.

To register a new user

  1. Press CTRL-F5 to run the application.

  2. At the top of the page, click Log On.

  3. Click Register.

  4. Enter values for the User name, Email address, Password, and Confirm password boxes.

    Make a note of the user name and password you use, because you will need the credentials later in this walkthrough.

  5. Click Register.

    A welcome message and a link for logging off are displayed at the top of the page.

When you register a user, the ASP.NET MVC framework checks whether the ASP.NET membership database file exists. If the database does not exist, ASP.NET creates a database file named ASPNETDB.MDF and populates it with the required tables.

To examine the membership database

  1. In Solution Explorer, click the Refresh button and then expand the App_Data folder.

    The ASPNETDB.MDF file is added to the App_Data folder.

  2. In Server Explorer, expand Data Connections, and then expand ASPNETDB.MDF.

    You can now examine the tables, data views, and stored procedures that make up the database. Notice that there are tables, views, and stored procedures that support user authentication, profiles, membership, and roles.

Changing Passwords

The ASP.NET MVC project template provides action methods and views that let users change passwords, but leaves it to you to decide how you want to use them. For this walkthrough, you will add a Change Password link to the LogOnUserControl.ascx control. As a result, the link to the ChangePassword view is displayed whenever the user is logged on.

To add and test the change password functionality

  1. If your Web application is still running in the browser, close the browser.

  2. In the Shared subfolder of the Views folder, open the LogOnUserControl.ascx control.

  3. Insert the following action link markup directly after the LogOff action link:

    [ <%: Html.ActionLink("Change Password", "ChangePassword", "Account") %> ]
    
  4. Save the file.

  5. Press CTRL-F5 to compile and run the application.

  6. Log on as the user that you created earlier.

    The welcome message, the log-off link, and the new change-password link are displayed at the top of the page.

  7. Click Change Password.

  8. Enter values for the Current password, New password, and Confirm new password boxes.

  9. Click Change Password.

    The password is changed.

  10. Click the Log Off link.

  11. Click the Log In link and log in again using the same user name and the new password.

Restricting Access to a View

Now that users can log on, log off, and change a password, you can specify what parts of the application should be restricted to authenticated users. You restrict access to a view by using the AuthorizeAttribute attribute to mark the action method that creates the view. You can restrict access to all views of a controller by using the AuthorizeAttribute attribute to mark the controller itself.

For the purposes of this walkthrough, you will restrict access to the About view.

To restrict access to a view

  1. If your Web application is still running in the browser, close the browser.

  2. Open the HomeController class and locate the About action method.

  3. Add the AuthorizeAttribute attribute to the About action method declaration, as shown in the following example:

    [Authorize]
    public ActionResult About()
    {
        return View();
    }
    
    <Authorize()> _
    Function About() As ActionResult
        Return View()
    End Function
    
  4. Save the file.

  5. Press CTRL-F5 to compile and run the application.

  6. Without logging on, click the About tab.

    The LogOn view is displayed, because you now must be logged on to view the About page.

  7. Log on to the application.

  8. Click the About tab.

    The About page is displayed.

Next Steps

Although the ASP.NET MVC project template provides forms authentication, you might want to learn more about ASP.NET membership and about how to add roles to your Web application. For more information, , see the following topics:

See Also

Other Resources

ASP.NET MVC 2