I have seen the following two accessible booleans:
System.Web.Mvc.Controller.User.Identity.IsAuthenticated
System.Web.Mvc.Controller.Request.IsAuthenticated
Is there a difference between these. They both seem to do the same thing so I am not sure which to use.
What I would like to do is:
@if (User.Identity.IsAuthenticated) {
if (User.IsInRole("Admin")) {
@Html.ActionLink("Admin", "AdminController")
}
}
or
@if (Request.IsAuthenticated) {
if (User.IsInRole("Admin")) {
@Html.ActionLink("Admin", "AdminController")
}
}
Would either of the above work equally well ?
There's no difference. The only difference is that if the user is not authenticated User.Identity
might be null and thus you might get a NRE, whereas with the second approach, internally there's a check for this and is safer.
Here's how the Request.IsAuthenticated
method is implemented:
public bool IsAuthenticated
{
get
{
return this._context.User != null &&
this._context.User.Identity != null &&
this._context.User.Identity.IsAuthenticated;
}
}
Basically it's a bit safer than the first one.
The IsAuthenticated property to determine whether the current request has been authenticated. If it has not been authenticated, the request is redirected to another page where users can enter their credentials into the Web application. This is a common technique used in the default page for an application.
but when it comes to User.Identity.IsAuthenticated
The User property provides programmatic access to the properties and methods of the IPrincipal interface. Because ASP.NET pages contain a default reference to the System.Web namespace (which contains the HttpContext class), you can reference the members of HttpContext on an .aspx page without using the fully qualified class reference to HttpContext. For example, you can use User.Identity.Name
to get the name of the user on whose behalf the current process is running. However, if you want to use the members of IPrincipal from an ASP.NET code-behind module, you must include a reference to the System.Web namespace in the module and a fully qualified reference to both the currently active request/response context and the class in System.Web that you want to use. For example, in a code-behind page you must specify the fully qualified name