0
\$\begingroup\$

How safe is Cookie based Authentication/Authorization in ASP.NET C#? Take a look at the example below, don't worry about password hashing, All this code does is that it takes a username and a password and lets a user login. After they login, I have multiple pages that use the role for authorization purposes. is this a secure/semi-secure method, or sufficient enough to prevent attacks and exploits against a web application? would you change anything in this code?

public async Task<IActionResult> OnPostAsync()
    {
        var user = await _context.UsersTableTest.FirstOrDefaultAsync(u => u.UserName == Username);

        if (user != null && user.PasswordHash == Password)
        {
            var claims = new List<Claim>
        {
            new Claim(ClaimTypes.Name, user.UserName),
            new Claim("UserDepartment", user.UserDepartment) // Assuming you have a Department property in the user model
        };

            var claimsIdentity = new ClaimsIdentity(
                claims, CookieAuthenticationDefaults.AuthenticationScheme);

            var authProperties = new AuthenticationProperties
            {
                // Set additional properties if needed
            };

            await HttpContext.SignInAsync(
                CookieAuthenticationDefaults.AuthenticationScheme,
                new ClaimsPrincipal(claimsIdentity),
                authProperties);

            return RedirectToPage("/Index"); // Redirect to a protected page
        }
        else
        {
            ModelState.AddModelError("", "Invalid login attempt.");
            return Page();
        }
    }
\$\endgroup\$
3
  • 1
    \$\begingroup\$ Welcome to Code Review! Is this code that you wrote and/or maintain? \$\endgroup\$ Commented Aug 22, 2023 at 18:15
  • 1
    \$\begingroup\$ Yes, this code is what I wrote and maintain. \$\endgroup\$ Commented Aug 22, 2023 at 18:30
  • \$\begingroup\$ UsersTableTest.FirstOrDefaultAsync(u => u.UserName == Username) You expect more than one person to have the same username? FirstOrDefault should be used in extremely rare cases IMHO. \$\endgroup\$ Commented Aug 24, 2023 at 11:45

1 Answer 1

Reset to default
3
\$\begingroup\$ 
var user = await _context.UsersTableTest.FirstOrDefaultAsync(u => u.UserName == Username);

Please bear in mind that == operator are case sensitive. Depending on the database setup it might be okay to use like this. I just wanted to highlight under some circumstances it might return null due to case sensitivity.

if (user != null && user.PasswordHash == Password)

You have a giant if-else block inside your method. Both of them returns an IActionResult. So, either move the code from the else block to the same level as the if and then delete the empty else block. Or you can reverse the condition and guard only the error path, something like this

if (user == null || user.PasswordHash != Password)
{
    ModelState.AddModelError("", "Invalid login attempt.");
    return Page();
}

var claims = new List<Claim>
{
    new Claim(ClaimTypes.Name, user.UserName),
    new Claim("UserDepartment", user.UserDepartment) 
};
...

return RedirectToPage("/Index");

BTW1: where do you define/receive the Password?
BTW2: why don't you pass the password hash as well to the linq query?

var claims = ...
var claimsIdentity = ...
var claimsPrincipal = ...

I haven't used the built-in authentication feature of ASP.NET for a while but I think you could rely on it (HttpContext.AuthenticateAsync) for this simple use case rather than hand crafting every single piece.

await HttpContext.SignInAsync(

You might need to set the Principal to the HttpContext as well (HttpContext.User = claimsPrincipal; prior to the call of SignInAsync.

\$\endgroup\$
1
  • 1
    \$\begingroup\$ Thank you. I am receiving the password through an input label, and I set the variables to them, look at the example below. [BindProperty] public string Username { get; set; } [BindProperty] public string Password { get; set; } \$\endgroup\$ Commented Aug 23, 2023 at 16:53

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.