Building a Custom Login Flow in ASP.NET Core: A Beginner-Friendly Guide

In this blog, we’ll walk through creating a simple yet effective authentication system in ASP.NET Core using sessions and cookies. By the end, you’ll have a solid understanding of how to build a custom login flow without relying on external libraries like JWT or ASP.NET Core Identity. Here’s what you’ll learn:

1. Sessions: How to store user data on the server to maintain authentication state.

2. Cookies: How to store user data on the client side for persistent authentication.

3. Password Hashing: How to securely hash passwords before storing or comparing them.

4. Login and Logout: How to implement a login system and allow users to log out securely.

5. Custom Authentication: How to build a lightweight authentication system tailored to your application’s needs.

This guide is perfect for beginners, junior developers, or mid-level developers looking to understand the basics of authentication in ASP.NET Core. Let’s get started! 🚀

---

Why Custom Login Flow?

Sometimes, you don't need the complexity of JWT or Identity for small applications. A custom login flow allows you to:

• Keep things simple and lightweight.

• Learn the basics of authentication (sessions, cookies, hashing).

• Have full control over the authentication process.

Let’s dive in!

---

What We’ll Build

We’ll create a simple login system with the following features:

1. Login Page: Users enter their email and password.

2. Password Hashing: Passwords are securely hashed before being compared.

3. Session Management: Store user information on the server.

4. Cookies: Store user information on the client side.

5. Logout Functionality: Allow users to log out and clear their session.

---

Step 1: Setting Up the Project

1. Create a new ASP.NET Core MVC project:

   • Open Visual Studio or your favorite IDE.

   • Create a new project and select ASP.NET Core Web App (Model-View-Controller).

   • Name it something like CustomLoginFlow.

2. Add Session Support:

   • Open Program.cs and add the following code to enable sessions:

     var builder = WebApplication.CreateBuilder(args);
     
     // Add services to the container.
     builder.Services.AddControllersWithViews();
     builder.Services.AddSession(); // Add session support
     
     var app = builder.Build();
     
     // Configure the HTTP request pipeline.
     if (!app.Environment.IsDevelopment())
     {
         app.UseExceptionHandler("/Home/Error");
         app.UseHsts();
     }
     
     app.UseHttpsRedirection();
     app.UseStaticFiles();
     
     app.UseRouting();
     
     app.UseSession(); // Use session middleware
     
     app.UseAuthorization();
     
     app.MapControllerRoute(
         name: "default",
         pattern: "{controller=SignIn}/{action=Index}/{id?}");
     
     app.Run();

---

Step 2: Create the User Model

We need a model to represent the user’s login credentials. Create a folder named Models and add a UserModel.cs file:

namespace CustomLoginFlow.Models
{
    public class UserModel
    {
        public string Email { get; set; }
        public string Password { get; set; }
    }
}

---

Step 3: Implement Password Hashing

To securely store and compare passwords, we’ll hash them using SHA256. Create a static class DevCode with a method to hash passwords:

using System.Security.Cryptography;
using System.Text;

namespace CustomLoginFlow
{
    public static class DevCode
    {
        public static string ToHashPassword(this string password, string userName, string secretKey)
        {
            // Create a SHA256 hash of the password
            using SHA256 sha256Hash = SHA256.Create();
            byte[] bytes = sha256Hash.ComputeHash(Encoding.UTF8.GetBytes(
                password +
                userName.Replace("a", "@").Replace("l", "!") +
                secretKey));

            // Convert the byte array to a hexadecimal string
            StringBuilder builder = new StringBuilder();
            for (int i = 0; i < bytes.Length; i++)
            {
                builder.Append(bytes[i].ToString("x2"));
            }
            return builder.ToString();
        }
    }
}

---

Step 4: Create the SignIn Controller

The SignInController handles the login logic. Create a new controller in the Controllers folder:

using CustomLoginFlow.Models;
using Microsoft.AspNetCore.Mvc;

namespace CustomLoginFlow.Controllers
{
    public class SignInController : Controller
    {
        public IActionResult Index()
        {
            return View(new UserModel());
        }

        [HttpPost]
        public IActionResult Index(UserModel user)
        {
            // Hash the password for comparison
            string password = user.Password.ToHashPassword(user.Email, "123");

            // Hardcoded user credentials for demonstration
            if (user.Email == "slh@gmail.com" && 
                password == "192193cce00ee219a27de7a7fd4ee5d53f4cc93dd2a1120eab528b2c32b08228")
            {
                // Store the user's email in the session
                HttpContext.Session.SetString("email", user.Email);

                // Store the user's email in a cookie
                CookieOptions options = new CookieOptions
                {
                    Expires = DateTime.Now.AddMinutes(1), // Cookie expires in 1 minute
                    HttpOnly = true // Prevent client-side script access to the cookie
                };
                HttpContext.Response.Cookies.Append("email", user.Email, options);

                // Redirect to the home page after successful login
                return RedirectToAction("Index", "Home");
            }

            // If login fails, return to the login page with the user model
            return View(user);
        }

        [HttpPost]
        public IActionResult Logout()
        {
            // Clear the session
            HttpContext.Session.Clear();

            // Expire the authentication cookie
            Response.Cookies.Delete("email");

            // Redirect to the login page
            return RedirectToAction("Index", "SignIn");
        }
    }
}

---

Step 5: Create the Home Controller

The HomeController checks if the user is authenticated before allowing access to the home page:

using Microsoft.AspNetCore.Mvc;

namespace CustomLoginFlow.Controllers
{
    public class HomeController : Controller
    {
        public IActionResult Index()
        {
            // Check if the user is authenticated by verifying the session
            var email = HttpContext.Session.GetString("email");
            if (string.IsNullOrEmpty(email))
            {
                // If not authenticated, redirect to the login page
                return RedirectToAction("Index", "SignIn");
            }

            // If authenticated, display the home page
            return View();
        }
    }
}

---

Step 6: Create the Views

Login Page (Views/SignIn/Index.cshtml)

@model CustomLoginFlow.Models.UserModel

@{
    ViewData["Title"] = "Sign In";
}

<h2>Sign In</h2>

<form asp-action="Index" method="post">
    <div>
        <label asp-for="Email"></label>
        <input asp-for="Email" />
    </div>
    <div>
        <label asp-for="Password"></label>
        <input asp-for="Password" type="password" />
    </div>
    <button type="submit">Sign In</button>
</form>

@if (!ViewData.ModelState.IsValid)
{
    <div class="alert alert-danger">
        Invalid email or password.
    </div>
}

Home Page (Views/Home/Index.cshtml)

@{
    ViewData["Title"] = "Home";
}

<h2>Welcome to the Home Page</h2>

<p>You are logged in as: @Context.Session.GetString("email")</p>

<form asp-action="Logout" asp-controller="SignIn" method="post">
    <button type="submit">Logout</button>
</form>

---

Step 7: Run the Application

1. Run the application and navigate to the /SignIn page.

2. Log in with the email slh@gmail.com and password 123.

3. If successful, you’ll be redirected to the home page.

4. Click the Logout button to clear the session and cookie.

---

Key Takeaways

• Sessions: Store user data on the server.

• Cookies: Store user data on the client side.

• Password Hashing: Securely hash passwords before storing or comparing them.

• Logout: Clear the session and expire the cookie to log the user out.

This custom login flow is perfect for small applications or learning purposes. As your application grows, consider using ASP.NET Core Identity for more advanced features like role-based authorization, password recovery, and external logins.