DEV Community

Dominic Pascasio
Dominic Pascasio

Posted on • Edited on

ASP.NET Core - Write a Simple Cookie Authentication

#dotnet #csharp #aspnet #authentication

Here is a quick guide on writing cookie authentication without using ASP.NET Identity.

  1. Add authentication service and HttpContextAccessor.

    builder.Services.AddAuthentication("MyAuthScheme")
    .AddCookie("MyAuthScheme", options => {
        options.LoginPath = "/Login";
        options.LogoutPath = "/Logout";        
        options.AccessDeniedPath = "/AccessDenied";
    });

builder.Services.AddHttpContextAccessor();

    Note that "MyAuthScheme" will be used throughout.

  2. Configure HTTP request pipeline.

    app.UseAuthentication();
app.UseAuthorization();

app.MapRazorPages();
app.MapControllers();

  3. In your login page, add:

    using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authorization;
using System.Security.Claims;

    In your login page constructor, inject _httpContextAccessor like so:

    private readonly IHttpContextAccessor _httpContextAccessor;
public Login(IHttpContextAccessor httpContextAccessor){ 
    _httpContextAccessor = httpContextAccessor;
}

    Actual login:

    // Validate login credentials here and get user details.

var claims = new List<Claim>
{
    new Claim(ClaimTypes.NameIdentifier, user.Id),
    new Claim(ClaimTypes.Name, user.Username),
    new Claim(ClaimTypes.Email, user.Email)
    // add or remove claims as necessary    
};

var claimsIdentity = new ClaimsIdentity(claims, "MyAuthScheme");

await _httpContextAccessor.HttpContext
    .SignInAsync("MyAuthScheme",
        new ClaimsPrincipal(claimsIdentity),
        new AuthenticationProperties());

// Redirect here

    This code creates a cookie with the name .AspNetCore.MyAuthScheme.

  4. Sign out codes:

    await _httpContextAccessor.HttpContext
            .SignOutAsync("MyAuthScheme");

// Redirect to login or other page

    This removes the cookie .AspNetCore.MyAuthScheme

  5. You can now put Authorize attribute on your pages, controllers or enpoints that require authenticated users.

    [Authorize]
[ApiController]
[Route("api/[controller]")]
public class ProductsController : BaseController { ... }

    Or you can specify scheme(s):

    [Authorize(AuthenticationSchemes = "MyAuthScheme,JwtScheme")]

  6. To check manually or to access claims in Controller or Razor page:

    if(User.Identity.IsAuthenticated) {

    var username = User.Identity.Name;
    var email = User.Claims.Where(i => i.Type == "Email").FirstOrDefault().Value;
}

    To access in .cshtml:

    @if(User.Identity.IsAuthenticated) {
    <p>@User.Identity.Name</p>
    <p>@User.Claims.Where(i => i.Type == "Email").FirstOrDefault().Value</p>
}

    In other parts of the website, inject IHttpContextAccessor:

    if(_httpContextAccessor.HttpContext
    .User.Identity.IsAuthenticated) {
    //do something
}

Resource

Microsoft Docs - Authentication

Top comments (0)