What .NET objects should I use to create a cookie based session in MVC?
- by makerofthings7
I'm writing a custom password reset application that uses a validation technique that doesn't fit cleanly with ASP.NET Membership Provider's challenge questions.
Namely I need to invoke a workflow and collect information from the end user (backup phone number, email address) after the user logs in using a custom form.
The only way I know to create a cookie-based session (without too much "innovation" on my part) is to use WIF.
What other standard objects can I use with ASP.NET MVC to create an authenticated session that works with non-windows user stores?
Ideally I can store "role" or claim information in the session object such as "admin", "departmentXadmin", "normalUser", or "restrictedUser"
The workflow would look like this:
User logs in with username and password
If the username and pw are correct a (stateless) cookie based session is created
The user gets redirected to a HTML form that allows them to enter their backup phone number (for SMS dual factor), or validate it if already set.
The user can then change their password using the form provided
The "forgot password" would look like this
User requests OTP code to be sent to the phone
User logs in using username and OTP
If the OTP is valid and not expired then create a cookie based session and redirect to a form that allows password reset
Show password reset form, and process results.