Click here to Skip to main content
15,119,410 members
Articles / Web Development / HTML
Posted 15 Jul 2016


37 bookmarked

Login Functionality in MVC

Rate me:
Please Sign up or sign in to vote.
4.88/5 (29 votes)
15 Jul 2016CPOL6 min read
Custom login functionality in MVC using form authentication


Let’s first establish what the purpose of code is in the first place.

For this article, the purpose of code is to create Login & Logout Functionality in MVC using Form Authentication. We also discuss about the best way to store the password in database using HASHING.


The most important question is how password are protected. If you storing the password in a plain-text or using encryption/decrypation (2-way) then it is a horrible idea. If you store the password in ecryption format then its a possibility to revert to the pain-text value using encrypted output.

Here is the best solution for storing the password in database. We Encrypt the password using one-way hashing algorithms. First Of all we Create a HASH Value of Combination of Password, One Unique Field (i.e. username or mobile or email) and SALT Key using SHA512 Algorithm (bcrypt/PBKDF2/scrypt are also best alorithms for hashing) and also create a unique SALT Key using CSPRNG. Then we store HASH Value & SALT Key in database.

We dont need to know the password we just verify the inputed password. So, When the user attempts to login, we create a one HASH Value of password and one unique field (which is entered by user) and SALT then it is checked against the hash of their real password which are retrieved from the database. If the hashes match, the user is granted access. If not, the user is told they entered invalid login credentials.

Using the Code

First of all we need to create a database & datatable which contains users` information. HERE We start the CODE.

STEP 01: Create A Database with Name "DemoLoginFunctionality".


CREATE DATABASE DemoLoginFunctionality;

Below Script Is use to create a Datatable with Data Entries

USE [DemoLoginFunctionality]
/****** Object:  Table [dbo].[UserMaster]    Script Date: 15-07-2016 11:30:49 ******/
CREATE TABLE [dbo].[UserMaster](
    [UserID] [bigint] IDENTITY(1,1) NOT NULL,
    [Username] [nvarchar](50) NOT NULL,
    [HASH] [nvarchar](max) NOT NULL,
    [SALT] [varbinary](512) NOT NULL,
    [UserID] ASC


INSERT [dbo].[UserMaster] ([UserID], [Username], [HASH], [SALT]) VALUES (1, N'suchit', N'duD96EJIW3AhCKE9vcl8aev1M2yULlLS4dHqqyFISrpvAdjNvNlVjKHC2Xsi4wsDyHRWa/wxeGmNqd37nQdgS+IhX/AsWEpPklL2LlBMFxsXiviznHWOMb/OjcTDWhM6', 0xE2215FF02C584A4F9252F62E504C171B178AF8B39C758E31BFCE8DC4C35A133A)

NOTE: We save the password hashing & salt in database.

--- At the time of Registration (Generate HASH Value & SALT Key) ---

1) First we need to Create A SALT Key. We use CSPRNG (cryptographically secure pseudo-random number generator) for create a SALT Key.

What is SALT key?

A salt is random data that is used as an additional input to a one-way function that "hashes" a password.

What is CSPRNG?

A cryptographically secure pseudo-random number generator (CSPRNG) is a pseudo-random number generator (PRNG) with properties that make it suitable for use in cryptography. It is uses mathematical formulas to produce sequences of random numbers.

#region --> Generate SALT Key
private static byte[] Get_SALT()
      return Get_SALT(saltLengthLimit);

private static byte[] Get_SALT(int maximumSaltLength)
     var salt = new byte[maximumSaltLength];

      //Require NameSpace: using System.Security.Cryptography;
      using (var random = new RNGCryptoServiceProvider())

     return salt;


2) Now, second step is to create a HASH Value. we use SHA512 For Create a HASH Value.

What is password hasing?

Hashing performs a one-way transformation on a password, turning the password into another String, called the hashed password. “One-way” means that it is practically impossible to go the other way - to turn the hashed password back into the original password. They also have the property that if the input changes by even a tiny bit, the resulting hash is completely different.

hashSHA512("hello") = ekFc4y+0WZ/jHte2PNzvSLC/WLKel86uRb71r6JliSrgjEkKeFQkTL2Ltix+1mcybYsJZuaAp7x7dMUi+1sQCmzR/JoMziQU/XKv0YK92oYMywLb9QJYNYiZDITZNlNu

hashSHA512("hollo") = HntRl+7m3KQ6fDNhqGPYDz3tCAan9gtVL3ad/Z6Qm5aQ3bzDUXUBy+mfgmSVmzfQBYV+3K8A9pWwcRFJxpNYwwVKsB4HudvUsCGPE0JiDx+nX9ot/UU7fn5V1jOTos1g

hashSHA512("helle") = UXaSsPL0G0sY/jqccVMrjazoFgpeDihMu5xwSo3AYWqpHuozHee9zfRviHL1SF+6E/0nU/aV/rM+LLjbTUfBpNI4nPKFwCTmRYmvMrT2npHHsBaIO/w8cpIsJ7y5WiNv

What is SHA512?

The Secure Hash Algorithm (SHA512) is a set of cryptographic hash functions designed by the National Security Agency (NSA).

//CODE: Generate HASH Using SHA512
public static string Get_HASH_SHA512(string password, string username, byte[] salt)
                //required NameSpace: using System.Text;
                //Plain Text in Byte
                byte[] plainTextBytes = Encoding.UTF8.GetBytes(password + username);

                //Plain Text + SALT Key in Byte
                byte[] plainTextWithSaltBytes = new byte[plainTextBytes.Length + salt.Length];

                for (int i = 0; i < plainTextBytes.Length; i++)
                    plainTextWithSaltBytes[i] = plainTextBytes[i];

                for (int i = 0; i < salt.Length; i++)
                    plainTextWithSaltBytes[plainTextBytes.Length + i] = salt[i];

                HashAlgorithm hash = new SHA512Managed();
                byte[] hashBytes = hash.ComputeHash(plainTextWithSaltBytes);
                byte[] hashWithSaltBytes = new byte[hashBytes.Length + salt.Length];

                for (int i = 0; i < hashBytes.Length; i++)
                    hashWithSaltBytes[i] = hashBytes[i];

                for (int i = 0; i < salt.Length; i++)
                    hashWithSaltBytes[hashBytes.Length + i] = salt[i];

                return Convert.ToBase64String(hashWithSaltBytes);
                return string.Empty;

Now, Save the HASH Value & SALT Key in database.

STEP 02: Create New MVC Application Project.

1) On the File menu, click New Project.

Image 1

2) In the New Project dialog box under Project types, expand Visual C#, and then click Web and In the Name box, type "LoginFunctionalityMVC" then click on Ok.

3) Now, In the dialog box click on the "MVC" under the ASP.NET 4.5.2 Templates, Then click on Change Authentication which is stay on center of the right side.

Image 2

Image 3

STEP 03: So here is the new new MVC Application Created. Now, we need to create an EDMX & bind our database "DemoLogin" with EDMX.

1) on the right side you can found the solution explorer.

Image 4

2) In solution explorer right click on "Models" Folder. Then Click on the "Add" then click on the "New Item..."

Image 5

3) Now click on the Visual C# and Select ADO.NET Entity Data Model, Name it "DBModel" and click on Ok

Image 6

4) Select EF Designer from Database and click on "Next"

Image 7

5) Now click on new connection, then define "server name", select authentication mode either Windows or SQL Server if SQL server then enter username or password. And finally, select database "DemoLoginFunctionality" under Connect to a Database then click on OK

Image 8

Image 9

6) Now Declare a name of connection string as "DBEntities" under Save connection setting in Web.config as: then click on next

Image 10

7) select version of entity framework. select "Entity Framework 6.x" then click on next

Image 11

8) Expand "Table" then exand "dbo" and then select our datatable "UserMaster". now, Give the name space as "Models" under Model Namespace: and then click on OK

Image 12

9) Now Buid Your Project by pressing CLTR + B for updating every entities perfectly.

STEP 04: Add a new empty controller

1) To add a controller. Right click on "controller folder" select "Add" the click on "controller".

2) Now, In Add Scaffold Dialog box select "MVC 5 Controller - Empty" then Click on Add and name it as "HomeController" and click on Add

Create A New ActionResult method name as 'Login'.

public ActionResult Login(string returnURL)
    var userinfo = new LoginVM();

        // We do not want to use any existing identity information

        // Store the originating URL so we can attach it to a form field
        userinfo.ReturnURL = returnURL;

        return View(userinfo);
//Create A New ViewModel Name AS "LoginVM" into Models Folders & Declare Below Properties.

public class LoginVM
        public string Username { get; set; }

        public string Password { get; set; }

        public string ReturnURL { get; set; }

        public bool isRemember { get; set; }


STEP 05: Add a View.

1) For this, Right click on your "Login" action method and then select a "Add View"

2) Now, Uncheck the "Use a layout page" and click on Add Button

3) Add the Model Class in your top of the View

@model LoginFunctionalityMVC.Models.LoginVM

4) Add a Email, Password textbox, Checkbox (for Remember Me Option) & submit button in form tag on Index.cshtml (view)

//Paste below code in your view
@model LoginFunctionalityMVC.Models.LoginVM

    Layout = null;

<!DOCTYPE html>

    <meta name="viewport" content="width=device-width" />
    @using (Html.BeginForm("Login", "Home", FormMethod.Post))
        @Html.HiddenFor(s => s.ReturnURL)

        <h1>Login Functionality In MVC</h1>

            @if (TempData["ErrorMSG"] != null)
                <label style="color:maroon;"> @TempData["ErrorMSG"] </label>
                <br /><br />

            @Html.TextBoxFor(s => s.Username, new { @placeholder = "Username" })
            <br /> <br />
            @Html.PasswordFor(s => s.Password, new { @placeholder = "Password" })
            <br /> <br />
            @Html.CheckBoxFor(s => s.isRemember) Remember ME
            <br /> <br />
            <button type="submit">Login</button>

NOTE: Don`t forgot to declare AntiForgeryToken in your View.

AntiForgeryToken: The anti-forgery token can be used to help protect your application against cross-site request forgery.

STEP 06: When login page initialization, at that time we need to check that current session is logout. so fist we logout the existing user.

For this, we create a two methods as "EnsureLoggedOut" and "Logout"

//GET: EnsureLoggedOut
private void EnsureLoggedOut()
    // If the request is (still) marked as authenticated we send the user to the logout action
    if (Request.IsAuthenticated)

//POST: Logout
public ActionResult Logout()
        // First we clean the authentication ticket like always
        //required NameSpace: using System.Web.Security;

        // Second we clear the principal to ensure the user does not retain any authentication
        //required NameSpace: using System.Security.Principal;
        HttpContext.User = new GenericPrincipal(new GenericIdentity(string.Empty), null);


        // Last we redirect to a controller/action that requires authentication to ensure a redirect takes place
        // this clears the Request.IsAuthenticated flag since this triggers a new request
        return RedirectToLocal();

NOTE: Don`t forgot to declare ValidateAntiForgeryToken in your top of POST Method.

ValidateAntiForgeryToken: The feature doesn't prevent any other type of data forgery or tampering based attacks. To use it, decorate the action method or controller with the ValidateAntiForgeryToken attribute and place a call to @Html.AntiForgeryToken() in the forms posting to the method.

STEP 07: We Create a one method as "SignInRemember" for Set Authentication in Cookie (Remeber ME Option) & one method for redirect to page. name as "RedirectToLocal"

//GET: SignInAsync
private void SignInRemember(string userName, bool isPersistent = false)
    // Clear any lingering authencation data

    // Write the authentication cookie
    FormsAuthentication.SetAuthCookie(userName, isPersistent);
//GET: RedirectToLocal
private ActionResult RedirectToLocal(string returnURL = "")
        // If the return url starts with a slash "/" we assume it belongs to our site
        // so we will redirect to this "action"
        if (!string.IsNullOrWhiteSpace(returnURL) && Url.IsLocalUrl(returnURL))
            return Redirect(returnURL);

        // If we cannot verify if the url is local to our host we redirect to a default location
        return RedirectToAction("Index", "Dashboard");

STEP 08: Now, all pre-required methods are done.. Finally we move to create a one method for validate username and password.

public ActionResult Login(LoginVM entity)
    string OldHASHValue = string.Empty;
    byte[] SALT = new byte[saltLengthLimit];

        using (db = new DBEntities())
            // Ensure we have a valid viewModel to work with
            if (!ModelState.IsValid)
                return View(entity);

            //Retrive Stored HASH Value From Database According To Username (one unique field)
            var userInfo = db.UserMasters.Where(s => s.Username == entity.Username.Trim()).FirstOrDefault();

            //Assign HASH Value
            if (userInfo != null)
                OldHASHValue = userInfo.HASH;
                SALT = userInfo.SALT;

            bool isLogin = CompareHashValue(entity.Password, entity.Username, OldHASHValue, SALT);

            if (isLogin)
                //Login Success
                //For Set Authentication in Cookie (Remeber ME Option)
                SignInRemember(entity.Username, entity.isRemember);

                //Set A Unique ID in session
                Session["UserID"] = userInfo.UserID;

                // If we got this far, something failed, redisplay form
                // return RedirectToAction("Index", "Dashboard");
                return RedirectToLocal(entity.ReturnURL);
                //Login Fail
                TempData["ErrorMSG"] = "Access Denied! Wrong Credential";
                return View(entity);

public static bool CompareHashValue(string password, string username, string OldHASHValue, byte[] SALT)
        string expectedHashString = Get_HASH_SHA512(password, username, SALT);

        return (OldHASHValue == expectedHashString);
        return false;

STEP 09: Now, the last stage is to create a Custom Authorize Attribute In MVC. Because it check that user is login or not before any page initialize.

Create a class name as "CheckAuthorization.cs" in "Models Folder"

public class CheckAuthorization : AuthorizeAttribute
       public override void OnAuthorization(AuthorizationContext filterContext)
           if (HttpContext.Current.Session["UserID"] == null || !HttpContext.Current.Request.IsAuthenticated)
               if (filterContext.HttpContext.Request.IsAjaxRequest())
                   filterContext.HttpContext.Response.StatusCode = 302; //Found Redirection to another page. Here- login page. Check Layout ajaxError() script.
                   filterContext.Result = new RedirectResult(System.Web.Security.FormsAuthentication.LoginUrl + "?ReturnUrl=" +

               //Code HERE for page level authorization


STEP 10: Now, just I have to put [CheckAuthorization] attribute on top of my controller to access my CheckAuthorization Function which is Custom Authorize Attribute.

STEP 11: Add authentication mode to Your Web.config

//Add Below Code To Your Web.confing

<system.web >  
    <authentication mode = "Forms" >  
    <forms loginUrl = "~/Home/Login" timeout = "2880" / > //Declare Your Return URL Here. Mean If Login Fail Then Page Redirect This URL  


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Comments and Discussions

QuestionProvide the Password Pin
SDZafar Ali8-Dec-19 19:04
MemberSDZafar Ali8-Dec-19 19:04 
QuestionRequire SALT and Hash generator code for the same Pin
abhimestry19-Sep-18 20:37
Memberabhimestry19-Sep-18 20:37 
QuestionUsername & password PinPopular
abhimestry19-Sep-18 0:34
Memberabhimestry19-Sep-18 0:34 
QuestionPerfect! Pin
Abdul Muqeet Khan20-Aug-18 12:00
MemberAbdul Muqeet Khan20-Aug-18 12:00 
Questionhi thank u Pin
shervinmina17-Jan-18 4:54
Membershervinmina17-Jan-18 4:54 
Questionlogin credentials Pin
satyam gupta21-Mar-17 3:22
Membersatyam gupta21-Mar-17 3:22 
QuestionVery best article + question Pin
Maurizio Felicella24-Aug-16 6:59
MemberMaurizio Felicella24-Aug-16 6:59 
GeneralMy vote of 5 Pin
Dan Randolph9-Aug-16 19:20
MemberDan Randolph9-Aug-16 19:20 
Very detailed comments in the code.
GeneralRe: My vote of 5 Pin
Khunt Suchit9-Aug-16 20:30
professionalKhunt Suchit9-Aug-16 20:30 
PraiseNice work - To the point and clear Pin 1:56 1:56 
GeneralRe: Nice work - To the point and clear Pin
Khunt Suchit22-Jul-16 5:11
professionalKhunt Suchit22-Jul-16 5:11 
QuestionNice article Pin
t.alkahtiri19-Jul-16 0:35
Membert.alkahtiri19-Jul-16 0:35 
AnswerRe: Nice article Pin
Khunt Suchit19-Jul-16 0:42
professionalKhunt Suchit19-Jul-16 0:42 
PraiseRe: Nice article Pin
t.alkahtiri19-Jul-16 0:56
Membert.alkahtiri19-Jul-16 0:56 
GeneralAwesome Post Pin
Sachin Makwana18-Jul-16 21:36
professionalSachin Makwana18-Jul-16 21:36 
GeneralRe: Awesome Post Pin
Khunt Suchit18-Jul-16 21:39
professionalKhunt Suchit18-Jul-16 21:39 
GeneralMy vote of 5 Pin
Carl Edwards In SA18-Jul-16 8:47
professionalCarl Edwards In SA18-Jul-16 8:47 
GeneralRe: My vote of 5 Pin
Khunt Suchit18-Jul-16 9:13
professionalKhunt Suchit18-Jul-16 9:13 
PraiseWritten very nicely ! Pin
DalalV18-Jul-16 1:24
MemberDalalV18-Jul-16 1:24 
GeneralRe: Written very nicely ! Pin
Khunt Suchit29-Jul-16 4:37
professionalKhunt Suchit29-Jul-16 4:37 
QuestionVery nice article, thank you Pin
PHUNG TIEN TRIEU15-Jul-16 18:15
MemberPHUNG TIEN TRIEU15-Jul-16 18:15 
AnswerRe: Very nice article, thank you Pin
Khunt Suchit15-Jul-16 18:51
professionalKhunt Suchit15-Jul-16 18:51 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.