How to restrict access to certain actions in controller in ASP.net MVC

Question

I am new to ASP.net MVC and created my first web application using it. In my application I am using database authentication. I have created Login action in controller which

Answer 1

If you are using FormsAuthentication you don't need to use ASP.NET session to track the currently authenticated user.

I read about Authorize attribute but don't know how to use it as I am using database authentication.

Assuming you went with FormsAuthentication, once you have validated the credentials of the user you should set a forms authentication cookie:

public ActionResult Login()
{
   if(uservalid)
   {
      FormsAuthentication.SetAuthCookie("username", false);
      return RedirectToAction("SomeProtectedAction");
   }
   else
   {
      //redirect to login
   }
}

and then:

[Authorize]
public ActionResult SomeAction()
{
   string currentlyLoggedInUser = User.Identity.Name;
}

By the way if you create a new ASP.NET MVC application using the internet template in Visual Studio you might take a look at the AccountController which is responsible for authenticating users and setting forms authentication cookies. Of course you could throw all the Entity Framework crap out of it and implement your own credentials validation against your own database tables.