How can i make something like this in MVC3 where i can still use [Authenticate] in the controller (or in a filter that is applied to all pages except the login page) ?
- User enters username and password which gets sent to the server as a post request.
- Application receives the posted information on the login page [httpPost]
- Application creates a new unique SESSIONID and writes it to the database
- Application requests that the browser writes a cookie with value SESSIONID=
- The next time the user requests a page cookie with SESSIONID= gets send everytime. (until it expires or is deleted)
- Application compares SESSIONID and IP address, which has been sent and checks if it exists as a valid session with that IP in the database. (Some session cleanup will be performed on login as well, users other sessions that exists will be removed)
This approach, seems to be rather difficult for me in ASP.NET. :-)