This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 93%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
I am working on an Asp.Net Core MVC project. The identity was scaffolded and uses Razor pages. When the user enters the username and password, if they are valid, they will be redirected to an MVC controller where they have to answer a security question. For that, I have to pass two variables, username and usertype, from the Login.cshtml page to the controller. The following is my code. Although it works, it uses TempData to pass values. Even the older WebForms had methods such as Request.Form collection to send values from one page to another. Is there a better way to pass values from a Razor page to a controller?
public async Task<IActionResult> SecurityQuestionSetup()
{
var userName = TempData["username"]?.ToString();
var userType = TempData["usertype"]?.ToString();
if (!string.IsNullOrEmpty(userType) && userType.Equals("E"))
{
userType = "EXECUTIVE";
userName = $"{userType}{userName}";
}
else if (!string.IsNullOrEmpty(userType) && userType.Equals("m"))
{
userType = "MANAGERIAL";
userName = $"{userType}{userName}";
}
var securityQuestionList = await _saveSecurityQuestion.GetSecurityQuestionsAsync();
SecurityQuestionVM securityQuestionVM = new()
{
SecurityQuestionsList = securityQuestionList.Select(s => new SelectListItem
{
Text = s.SecurityQuestion,
Value = s.SecurityQuestionID.ToString(),
})
};
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 78%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBZ%3C/text%3E%3C/svg%3E)
Normally, the redirect to the MVC controller is a get action, pass the data from the get action method is using the querystring which is not security enough due to it show inside the url . Actually, using the temp data is a good way to pass the data.
The login user name can be obtained from the User property of ControllerBase, RazorPageBase and PageModel such like string? name = User.Identity?.Name; if he is authenticated. But I don't know the "usertype". What is it?
You are using Identity. The username is available in every request after a successful authentication.
User.Identity.Name
The userType should be a stored as user claim in the Identity database. Take advantage of the UserManger() api to set the user claim.
var user = await _userManager.GetUserAsync(User);
await _userManager.AddClaimAsync(user, new System.Security.Claims.Claim("userType", "E"));
Once the claim is assigned to the user then the claim can be fetched from the User principal after a successful authentication.
User.Claims.FirstOrDefault(t => t.Type == "userType").Value
Creating a claims policy simplifies authorization process.
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-8.0
I am using this functionality before the user is logged in. This is because I am using the Identity on top of an existing old application and I have to maintain few existing housekeeping features.
As my comment said, using the temp data is a good way to achieve it, also you could consider using the session to work with it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
TempData uses a cookie to pass the data. you can also just pass on the redirect url query string, but you should encrypt the data. another option is store data in a keyed persistent store and pass the key.
and finally you could create an instance of the controller and call the method directly.