Menu
I have been given the assignment of modifying an ASP.NET MVC application in such a way that navigating to myurl?username=xxxxxx automatically logs in user xxxxxx, without asking for a password.
I already made it very clear that this is a terrible idea for many security-related reasons and scenarios, but the people in charge are determined. The site would not be publicly available.
So: is there any way of signing in without a password by, for example, extending the Microsoft.AspNet.Identity.UserManager and modifying the AccountController?
Some code:
var user = await _userManager.FindAsync(model.UserName, model.Password); if (user != null && IsAllowedToLoginIntoTheCurrentSite(user)) { user = _genericRepository.LoadById<User>(user.Id); if (user.Active) { await SignInAsync(user, model.RememberMe); _userManager holds an instance of a Microsoft.AspNet.Identity.UserManager.
and SignInAsync():
private async Task SignInAsync(User user, bool isPersistent) { AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie); var identity = await _userManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie); if (user.UserGroupId.IsSet()) user.UserGroup = await _userManager.Load<UserGroup>(user.UserGroupId); //adding claims here ... // AuthenticationManager.SignIn( new AuthenticationProperties { IsPersistent = isPersistent }, new CustomClaimsIdentity(identity)); } AuthenticationManager would be OwinSecurity.
925
cs change the property Email to UserName , remove the [EmailAddress] annotation from there and change the [Display(Name = "Email")] to [Display(Name = "Login")] or something you want to display. If you want to keep Email property, then add UserName property to the same view model and make it as required.
Run the "ForgotPassword. aspx" page and enter username or email id and click on submit button.It will send reset password link on your email id. Check your email and click on the reset password link. You will be redirected to the "ResetPassword.
DataProtectorTokenProvider<TUser> ClassProvides protection and validation of identity tokens.
You just need to use the usermanager to find the user by name. If you have a record then just sign them in.
public ActionResult StupidCompanyLogin() { return View(); } [HttpPost] //[ValidateAntiForgeryToken] - Whats the point? F**k security public async Task<ActionResult> StupidCompanyLogin(string name) { var user = await UserManager.FindByNameAsync(name); if (user != null) { await SignInManager.SignInAsync(user, true, true); } return View(); } If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
