Managing 2 levels of authentication with Asp.Net Identity 2.0
I would like to be able to manage two levels of authentication for users of asp.net applications. The idea is that users can enter a permanent place with the "remember me" option and access some of the user's pages without particularly sensitive data, but they will have to re-enter their username / password every time they want to access some others pages (for example, for their payment Information). This authentication for secure pages will be session-only. Of course, I could do it manually by accessing a different cookie and let Identity take care of the persistent one, but maybe there is a way to do this with Identity only.
You may have an idea of ββwhat I am trying to achieve on the amazon website. You can log in permanently and then you are always greeted with your name on the site, you can see your recommendations, etc ... but if you want to access your account or buy something, you must enter your username / password (and then it is only valid for the session).
Thank!
source to share
You can set up two registration cookies to represent this, your normal login page uses a cookie with the default app ID. But your safer page creates another cookie that is only used for your super secure area.
This is how you add another CookieMiddleware for this purpose:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "SuperSecureMode",
AuthenticationMode = AuthenticationMode.Passive
}
You can save your cookie this way as soon as you repeat the credentials (you will need to add at least a user ID so you can check that later):
HttpContext.GetOwinContext().Authentication.SignIn(new ClaimsIdentity("SuperSecureMode"));
And in your super secure pages, you will want to authenticate and extract the user id from the claim id.
HttpContext.GetOwinContext().AuthenticateAsync("SuperSecureMode");
source to share