MVC2 bypass login screen for New User - Create Password

MVC2 bypass login screen for New User - Create Password

Old forum URL:

SDM10012 posted on Saturday, September 25, 2010

My Use Case is to e-mail a url to new customer that will route them to a create password view in our CSLA 3.8 ASP.NET MVC2 application

Since the ChangePassword action is in the Account Controller ... the URL that I send to the unauthenticated user takes them to a login screen ( because of the constructor in the Account Controller ).

The simple solution would be to take that create password function out of the AccountController ... but I'm looking for a way to keep from having to do that.

To keep that function in the AccountController, It looks like I can re-route the action by adding a function in the constructor that will do special handling if the HTTP.Request is for the change password URL ....

Is there an MVC feature  / or any other options for bypassing the login screen for an unauthenticated user for an action in the Account Controller  ??








ajj3085 replied on Saturday, September 25, 2010

I'm not sure why you're really doing anything in the constructor of your AccountController.  Why don't you have the relevent logic in seperate action methods?

SDM10012 replied on Saturday, September 25, 2010

is there an update to the 3.8 version of MVC PTracker solves this ... here is my version of the "canonical" PT MVC accountcontronller ...


public class AccountController : Controller
// This constructor is used by the MVC framework to instantiate the controller using
// the default forms authentication and membership providers.
 AccountController(): this(null, nulL){}

// This constructor is not used by the MVC framework but is instead provided for ease

// of unit testing this type. See the comments at the end of this file for more

// information.

public AccountController(IFormsAuthentication formsAuth, IMembershipService service)

{FormsAuth = formsAuth ?? new FormsAuthenticationService();
MembershipService = service ?? new AccountMembershipService();
public IFormsAuthentication FormsAuth{get;private set;}
public IMembershipService FormsAuth{get;private set;

ajj3085 replied on Saturday, September 25, 2010

I guess I'm a bit confused; I thought you said you were sending unauthenticated users to a logon page in the constructor. 

SDM10012 replied on Saturday, September 25, 2010

Not quite ... in PTMVC any action in the Account Controller other than login requires an authenticated user

So ... it's a bit of a Hack ... but since this is the only case where a user without valid credentials can access a view managed by  the Account Controller in my app .... I'm looking for the URI in global.asax and performing a login for a default user.

if (HttpContext.Current.Request.AppRelativeCurrentExecutionFilePath == "~/NewPassword")

              MyApp.Library.Security.MyappPrincipal.Login("foo", "bar");

              HttpContext.Current.Session["CslaPrincipal"] =

With an authenticated user in the session object the AccountController constructor routes to the change password form, bypassing the login screen ....

ajj3085 replied on Sunday, September 26, 2010

Why not have another action method that doesn't require authorization, and just set the principal to the Unauthenticated princpal from Csla (or another one you make).

Copyright (c) Marimer LLC