Here is a quick guide on writing cookie authentication without using ASP.NET Identity.
-
Add authentication service and
HttpContextAccessor
.
builder.Services.AddAuthentication("MyAuthScheme") .AddCookie("MyAuthScheme", options => { options.LoginPath = "/Login"; options.LogoutPath = "/Logout"; options.AccessDeniedPath = "/AccessDenied"; }); builder.Services.AddHttpContextAccessor();
Note that
"MyAuthScheme"
will be used throughout. -
Configure HTTP request pipeline.
app.UseAuthentication(); app.UseAuthorization(); app.MapRazorPages(); app.MapControllers();
-
In your login page, add:
using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authorization; using System.Security.Claims;
In your login page constructor, inject
_httpContextAccessor
like so:
private readonly IHttpContextAccessor _httpContextAccessor; public Login(IHttpContextAccessor httpContextAccessor){ _httpContextAccessor = httpContextAccessor; }
Actual login:
// Validate login credentials here and get user details. var claims = new List<Claim> { new Claim(ClaimTypes.NameIdentifier, user.Id), new Claim(ClaimTypes.Name, user.Username), new Claim(ClaimTypes.Email, user.Email) // add or remove claims as necessary }; var claimsIdentity = new ClaimsIdentity(claims, "MyAuthScheme"); await _httpContextAccessor.HttpContext .SignInAsync("MyAuthScheme", new ClaimsPrincipal(claimsIdentity), new AuthenticationProperties()); // Redirect here
This code creates a cookie with the name
.AspNetCore.MyAuthScheme
. -
Sign out codes:
await _httpContextAccessor.HttpContext .SignOutAsync("MyAuthScheme"); // Redirect to login or other page
This removes the cookie
.AspNetCore.MyAuthScheme
-
You can now put
Authorize
attribute on your pages, controllers or enpoints that require authenticated users.
[Authorize] [ApiController] [Route("api/[controller]")] public class ProductsController : BaseController { ... }
Or you can specify scheme(s):
[Authorize(AuthenticationSchemes = "MyAuthScheme,JwtScheme")]
-
To check manually or to access claims in Controller or Razor page:
if(User.Identity.IsAuthenticated) { var username = User.Identity.Name; var email = User.Claims.Where(i => i.Type == "Email").FirstOrDefault().Value; }
To access in
.cshtml
:
@if(User.Identity.IsAuthenticated) { <p>@User.Identity.Name</p> <p>@User.Claims.Where(i => i.Type == "Email").FirstOrDefault().Value</p> }
In other parts of the website, inject
IHttpContextAccessor
:
if(_httpContextAccessor.HttpContext .User.Identity.IsAuthenticated) { //do something }
Top comments (0)