I am creating a new ASP.NET MVC 4 application (actually my first MVC application) that is a part of my previous ASP.NET web forms application. I have never used ASP.NET inbuilt authentication methods in any of my project. This new MVC 4 app will be published on a sub-domain of previous app. Login will be done from previous app. A return url should be provided from MVC app to return back to current page if not logged in. However, New User Registration, Account Recovery options are already developed in previous web forms application and I don't want to replicate them in my new MVC application.

A cookie token with token number will be issued from web form application on the event of successful login which will be shared to all domain like *.maindomain.com.

Now I want to merge my own token validation method with ASP.NET inbuilt methods so that I can make use of Authorize and other security related options in my new MVC application.

In my previous application I have developed my custom user validation system in following way.

First, I have following related SQL Server tables

http://i.stack.imgur.com/NPcFm.png

and following classes

public class Token
{
    public static uint GenerateToken(string userEmail, string password, bool isPersistent)
    {
        // this static function generates a uint type unique token number
        // and put this in the cookie "token" using HttpContext.Current.Response object.
        // if isPersistent is set to true then cookie will be persistent otherwise not
        // if there is any problem in creating token then it will throw an Exception with proper message
        // Possible causes of not generating a token are
        // 1. Invalid useremail or password
        // 2. 'State' value in 'Member' table is 'EmailPending' or 'Suspended' (there is an enum for MemberState
    }

    public Token(uint tokenNo, bool validateImmediately = false)
    {
        // simply load token details with a few filed from member table from database
        // Call validate function if validateImmediately is set to true
        // Throws an exception if token does not exists in the database
    }

    public void Validate()
    {
        // Checks for everything like MemberState is Active and Token status is also Active and throws exception if anything wrong
        // and then check (LastAccessedOn.AddSeconds(TokenLife) < AppSettings.Now) is not true
        // Call UpdateStatus function with new token status and current page from HttpContext in comment parameter
    }

    public void UpdateStatus((TokenStatus newStatus, string comment = "")
    {
        // simply write both newStatus and Comment in Token table
        // and remove the token cookie if newStatus is not set to Active
    }

    public uint TokenNumber { get; private set; }
    public uint MemberNumber { get; private set; } // from Member table
    public string Name { get; private set; } // from Member table
    public MemberState MemberState { get; private set; } // from Member table
    public string MemberEmail { get; private set; } // from member table
    public uint BusinsessNo { get; private set; } // from Business table
    public DateTime CreatedOn { get; private set; }
    public DateTime LastAccessedOn { get; private set; }
    public uint TokenLife { get; private set; } // from member
    public string CreatedIP { get; private set; }
    public string LastIP { get; private set; }
    public bool IsPersistent { get; private set; }
    public TokenStatus Status { get; private set; }
    public string Comment { get; private set; }
    public static Token Current
    {
        get
        {
            if (_t == null)
                _t = new Token(uint.Parse(HttpContext.Current.Request.Cookies["token"].Value));
            return _t;
        }
    }
    private static Token _t;
}

public class Member
{
     // all member related operations like new member, send verification email and verify email
}

For logging out user I simply call UpdateStatus like (TokenSatus.Closed, "User logged out"). This method will take care of cookie removal.

Note: Member class has a property bool IsAdmin. You know why its for.

Please suggest me a best solution to develop authentication system according to my needs in MVC application. I am telling you again that options like New User, Account Recovery and Email Verification will be done in my previous ASP.NET web forms application. All I need to just put my Validate() method of Token class on right place in MVC application. I am really confused with several solution available on internet.

Member Avatar for LastMitch

Please suggest me a best solution to develop authentication system according to my needs in MVC application. I am telling you again that options like New User, Account Recovery and Email Verification will be done in my previous ASP.NET web forms application. All I need to just put my Validate() method of Token class on right place in MVC application. I am really confused with several solution available on internet.

@inheaven

There's no best solution of develop a authentication system you need to understand how it works in the first place then work on developing your own.

Have you look at this:

http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api

Most of the questions you ask is very basic & general. You can find those answers you have on ASP.net. I usually look at it there.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.