This course will be retired on July 14, 2025.

Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

User Authentication with ASP.NET Identity

Well done!

You have completed User Authentication with ASP.NET Identity!

Sign up for Treehouse Back to Library
Preview
Video Player
00:00
00:00
00:00
  1. 2x 2x
  2. 1.75x 1.75x
  3. 1.5x 1.5x
  4. 1.25x 1.25x
  5. 1.1x 1.1x
  6. 1x 1x
  7. 0.75x 0.75x
  8. 0.5x 0.5x
Use Up/Down Arrow keys to increase or decrease volume.

Reviewing Segmenting and Protecting Data

6:49 with James Churchill

Let's review the changes that we made to our web app in this section.

Let's review the changes we made in this section. 0:00
You've seen the SQL server object explorer window. 0:03
Let's review the data in the ASP.NET users table. 0:07
Here's our seeded users. 0:18
Notice that the passwords are hashed. 0:20
Now let's review the changes to the entry table. 0:24
Here's our user ID column, and notice that each row has a value populated 0:33
representing the user ID that owns or is associated with that entry. 0:38
Let's close both of those tabs. 0:44
Switch to solution explorer. 0:47
Expand controllers and open the entries controller. 0:49
Now let's set a break point inside each of the entries controller action methods. 0:53
I'll press F9 to set a break point here just inside of the index action 1:01
method Scroll down to Add. 1:05
Then the Post version of Add action method. 1:15
Edit. 1:22
And edit post. 1:26
Delete, and the last one, the delete post action method. 1:32
Then I'll press F5 to debug the app. 1:38
Here's our sign in page. 1:43
If you look up in the address bar, notice this green lock and the word Secure. 1:45
This tells us that we're using HTTPS and SSL. 1:51
I'll go ahead and sign in. 1:57
And just inside of the index action method we're getting ready to call 2:06
the git user ID method on the User.Identity property. 2:10
Press F10, if we hover over the user ID variable, 2:16
we can see the user ID from my account. 2:19
Now, we're gonna pass that user ID into the Git list entries repository method. 2:23
This allows the repository to filter the list of entries 2:29
to the ones that are associated with my account. 2:32
And here's my entries. 2:35
Let's try adding an entry. 2:37
Inside of the Add Action method, here we're getting my UserID, again, and 2:42
we're setting the viewModel.Entry.UserID property. 2:46
Let's view the source of the page by right clicking and selecting view page source. 2:51
I'll make this slightly larger. 2:57
And scroll down a bit. 3:00
Here's our first form, but this is our sign out form. 3:03
Let's scroll down a little bit further. 3:06
Here's what I'm looking for. 3:09
It's an input element of type hidden that contains my UserId. 3:10
Also notice that there's another hidden input element right here. 3:17
This one contains the anti-forgery token that we're using to prevent 3:22
CSFR or cross site request forgery. 3:28
If this token wasn't included as a form value, or 3:31
if the token value was incorrect, the post would fail upon submission to the server. 3:34
Let's go ahead and fill out some values. 3:41
So I'll select basketball for activity and say I played for 3:43
30 minutes at a medium intensity and submit the form. 3:48
Now, we are inside of the add post action method. 3:54
Lets step down, here we are about to get the user ID for my account. 3:57
And we're setting the entries user ID property 4:04
ignoring the one that was sent from the client. 4:08
This is to ensure that the user didn't tamper with the hidden field value. 4:11
Let's go ahead and add the entry, And 4:16
press F5 to continue execution which will redirect us back to the index page. 4:20
And here we are with our message saying that the entry was successfully added. 4:28
Now, let's edit that same entry by clicking the Edit button on its row. 4:34
Here we are in the Edit Get Action Method. 4:41
If we step down, we'll see the call to the GetUserId method, again. 4:44
And remember, we're passing in the userId into the entriesRespository 4:48
Get action method along with the id of the entry that we're trying to retrieve. 4:53
Doing this prevents users from hacking the URL 4:58
in an attempt to retrieve another users entry. 5:01
Let's change the activity and submit the form. 5:05
Let's step down. 5:11
Here we are getting a reference to our entry model, and 5:14
here we're getting the user ID, again. 5:17
This time, before we update the entry, we're calling the entry's repository 5:21
EntryOwnedByUserId method passing in the entry.Id and the userId. 5:26
We're doing this to ensure, again, that the combination of the entry ID and 5:31
user ID is valid. 5:36
In here, we're going to override EntryUserId property with the user 5:39
Id of the current user. 5:43
And after updating the entry, 5:46
we're redirected back to the entry's index route. 5:48
In here is our message that our entry was successfully updated. 5:53
Now, let's delete that entry. 5:59
Here's the delete Get action method, and 6:02
again, we're passing that into the entriesRepository.Get method in order to 6:05
ensure that this entry belongs to our user. 6:10
We click the Delete button to delete the entry. 6:16
And in the delete post action method, we're getting our user ID, again. 6:19
And we're calling it entriesRepository.EntryOwnedByUserId 6:24
method to check to make sure that this entry is, in fact, 6:28
owned by the current user. 6:31
Our entry has been deleted. 6:36
And now we're back at our entry's list page with the message letting us know that 6:39
our entry was deleted. 6:43
Now we're back to just four entries. 6:46