Implementing Single Sign-On (SSO) for ASP.NET MVC applications provides a seamless, hassle-free login experience for your users, regardless of whether you're creating SaaS apps or an educational platform.

However, how can SSO improve security and streamline user authentication?
We'll go over SSO's specifics, the advantages of integrating it with ASP.NET MVC applications, and how it can streamline and manage your authentication procedure in this article.

What is Single Sign-On (SSO)?
Single Sign-On (SSO) has become a must-have for modern web applications. It lets you log in once and access many different applications without having to type in your username and password each time. This not only makes logging in easier but also helps keep your accounts safer by reducing password issues.

If you’re working on an ASP.NET MVC app, adding SSO can really help with user management, especially in big companies where quick access to different systems is crucial.

Here’s how it works:
When a user wants to access secure parts of your app, they just enter their username and password once. If they need to use other related applications, they usually have to enter their info again and again.

But with SSO, you only need to sign in once to get access to all connected services. As the name implies, you’re only asked to log in once during a specific time period before your login session expires.

What Are the Types of SSO Protocols?
For Single Sign-On (SSO) to work smoothly, Service Providers (SP) and Identity Providers (IDP) need to agree on a common way to share identity and login information. Here are some of the main protocols they use:

OAuth (Open Authorization)
OAuth is a widely used standard that helps with token-based authentication. It allows users to share their account information with third-party services without giving away their passwords. Instead of sharing your password, OAuth acts as a middleman. It gives the service an access token, which lets them see only certain account details.

OpenID
OpenID is another popular authentication protocol used by major companies like Google and Facebook. It’s an open and decentralized standard. With OpenID, third-party Identity Providers help verify users for Relying Parties (RP). Think of it as an extra layer on top of OAuth, making it even more secure.

SAML (Security Assertion Markup Language)
SAML works by using session cookies in your web browser. This lets you access specific pages without needing to log in each time. It gives companies more control to keep their SSO logins secure. For a more detailed look at SAML, check out the information below.

Where Can We Use SAML SSO?
SAML SSO is mainly used for authentication. This means that different apps, websites, and services need to trust the SSO site to let you access and edit your data.

Here’s how it works:
When you want to access something on a service provider’s app, you first need to log in with your username and password. If you’ve done this before, getting in is easier! The app sends a request to authenticate you, and then the identity provider sends back a response to confirm you’re good to go.

SAML is handy, especially when a service provider offers their features across various applications. It even opens up opportunities for third-party apps to use the same data in their own unique ways.

For example:

• Websites that provide data stats for online multiplayer games.
• Social media apps and forums that share a common topic.
• Online video streaming platforms that engage viewers.
• Software marketplaces like Steam that track user analytics

Why is SAML SSO Great for ASP.NET MVC Applications?
SAML SSO is highly effective for ASP.NET MVC applications for several reasons. First, it boosts security so you can feel safe while using your apps. It also helps manage user identities in one place, making it easier for everyone.

With SAML SSO, users only need to log in once to access multiple applications, which saves time and hassle. Plus, it works well across different domains, meaning you can easily connect with other services.

For businesses with complicated authentication needs, SAML SSO offers great flexibility and meets compliance requirements. It’s also scalable, so as your business grows, it can keep up. Overall, SAML SSO provides a secure and easy-to-use login experience for both users and administrators.
What are the Benefits of Using ASP.NET MVC Single Sign-On?

Faster Development
Using ASP.NET MVC Single Sign-On (SSO) helps developers save time. With a common authentication framework, they can get things done quicker. Plus, if the SSO system works independently, it takes even more pressure off the developers.

Lower Costs
Shorter development time means lower costs. It is a success when developers spend less time building. Also, fewer users forget their passwords or call the IT help desk for assistance, which cuts down on overall expenses.

Better Security
One of the best things about SSO is that it makes users less likely to fall for phishing attacks. SSO also makes sure that users connect through secure channels. This way, only one place handles their login info. The apps themselves only get a simple signal to let the user in or not. This means less sensitive information is shared.

Easier Administration
Managing user accounts becomes much easier with SSO. It reduces the workload for administrators because they don’t have to handle multiple logins. Just remember, SSO only deals with who can log in. Deciding what users can access based on their permissions still needs to be set up separately.

Better User Experience
With ASP.NET MVC Single Sign-On, users only need to log in once. They won’t have to keep entering their usernames and passwords for different applications and browsers, making everything smoother and simpler.

Conclusion
Integrating Single Sign-On (SSO) into your ASP.NET MVC application can really boost both security and user experience. With SSO, users only need to log in once to access multiple systems. This not only reduces the hassle of remembering multiple passwords but also helps organizations manage identities more effectively.

By following the steps in this guide, you can easily set up SSO for your ASP.NET MVC app. Just remember to test everything thoroughly, pick the right identity provider, and make sure your authentication flow fits your business needs. With a solid SSO solution in place, you can enhance your application's security and make it easier for users to navigate.

Upon writing multiple articles on this website, I discovered that nearly all of them required me to build up an example application linked to an entity framework in order to access the database. Additionally, each time, I had to start over with the setup procedure so that a new reader could easily follow along. Even when I introduced a really basic idea like caching, I had to spend 80% of my time configuring the sample application and only 20% of my time explaining the caching concept.

As a result, I believe it is preferable to create a fundamental model, such as an entity framework sample, for each technique, which I can then reuse as needed. I established a list of the series of articles below, and I will write them one by one, while the Entity framework overview and concept will be addressed in article (0).

Note
We write the Entity Framework for MVC module, but the pattern is the same or similar when applying to Web Application or Web API.

Introduction
This article is about Entity Framework with .Net MVC, Database-First approach.  This will be the easist and convenient one in the whole six approaches.

We will make a sample app step by step,

• Step 1: Create an ASP.NET MVC application
• Step 2: Reverse Engineer Model
• Step 3: Create Controller to access data from entity framework
• Step 4: Run the app

At the end, we will have an .Net MVC app that can consume a database directly through entity framework.

Step 1 - Create an ASP.NET MVC app
We use the current version of Visual Studio 2019 16.9.3 and .NET Framework 4.8 to build the app:

• Start Visual Studio and select Create a new project.
• In the Create a new project dialog, select ASP.NET Web Application (.NET Framework) > Next.
• In the Configure your new project dialog, enter MVC_DatabaseFirst for Project name > Create.
• In the Create a new ASP.NET Web Application dialog, select MVC > Creat

Note
For biginners, you may see details from here. Build and run the app, you will see the following image shows the app,

Step 2, Reverse Engineer Model
We’re going to make use of Entity Framework Designer, which is included as part of Visual Studio, to create our model.

• Project -> Add New Item…
• Select Data from the left menu and then ADO.NET Entity Data Model

Enter StoreModel as the name and click Add
This launches the Entity Data Model Wizard

Select Generate from Database and click Next.

In the Choose Your Data Connection Dialog box, Click New Connection.

In the Connection Properties Dialog box, Choose Server Name: Localhost, and Select or Enter database name: Pubs, Click OK.

You got connection string, Click Next.

Click Next.

Click the checkbox next to ‘Tables’ to import stores and click Finish. Once the reverse engineer process completes the new model is added to your project and opened up for you to view in the Entity Framework Designer (StoreModel.edmx):

The created class Store like this (StoreModel.edmx/StoreModel.tt/store.cs)
//------------------------------------------------------------------------------
// <auto-generated>
//     This code was generated from a template.
//
//     Manual changes to this file may cause unexpected behavior in your application.
//     Manual changes to this file will be overwritten if the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------

namespace MVC_DatabaseFirst
{
    using System;
    using System.Collections.Generic;

    public partial class store
    {
        public string stor_id { get; set; }
        public string stor_name { get; set; }
        public string stor_address { get; set; }
        public string city { get; set; }
        public string state { get; set; }
        public string zip { get; set; }
    }
}

The Data Context will be in pubsEntities class (StoreModel.edmx/StoreModel.Context.tt/StoreModel.Context.cs):
//------------------------------------------------------------------------------
// <auto-generated>
//     This code was generated from a template.
//
//     Manual changes to this file may cause unexpected behavior in your application.
//     Manual changes to this file will be overwritten if the code is regenerated.
// </auto-generated>
//------------------------------------------------------------------------------

namespace MVC_DatabaseFirst
{
    using System;
    using System.Data.Entity;
    using System.Data.Entity.Infrastructure;

    public partial class pubsEntities : DbContext
    {
        public pubsEntities()
            : base("name=pubsEntities")
        {
        }

        protected override void OnModelCreating(DbModelBuilder modelBuilder)
        {
            throw new UnintentionalCodeFirstException();
        }

        public virtual DbSet<store> stores { get; set; }
    }
}

and the connection details for the database will be inserted into web.config file:
<connectionStrings>
  <add name="pubsEntities" connectionString="metadata=res://*/Model1.csdl|res://*/Model1.ssdl|res://*/Model1.msl;provider=System.Data.SqlClient;provider connection string="data source=localhost;initial catalog=pubs;integrated security=True;MultipleActiveResultSets=True;App=EntityFramework"" providerName="System.Data.EntityClient" />
</connectionStrings>

Step 3:  Create Controller to access data from entity framework
From Visual Studio IDE,

• Right-click the Controllers folder.
• Select Add > New Scaffolded Item Or Controller to open the window Add New Scaffolded Item
• In the Add New Scaffold Item dialog box, click MVC 5 Controller with views, using Entity Framework, and then click Add.;
• In the Add Controller dialog box,
  • Select store (MVC_DatabaseFirst) for the Model class.
  • Select pubsEntities (MVC_DatabaseFirst) for the Data context class.
  • For the Controller name enter storesController.
  • Click Add.  

Step 4: Run the app
Type domain/stores into the link, you will get:

Model View Controller, or MVC for short, is a design pattern used to create applications rather than a programming language. Three components will make up the application that was created utilizing the MVC design pattern. Which model will house all of the data that can be retrieved at the user's request?

The Controller will have business logic code, and the View will have user interface code. We shall examine a graphical example of MVC to gain a better understanding of it.

The Properties of MVC is.

• Loose Coupling
• Lightweight code
• Effective look
• Testing is Very Easy
• Rapid application integrated development.

MVC Architecture
The architecture of MVC can be seen in the following figure.

Explanation
User will make request for the page which user would like to retrieve. Requested page will go to controller and on controller Route.Config will be checked. Requested page will get transfer to Model from Controller.

On Model there will be 2 steps.

• Page initialization will get started.
• Then result set will be generated.

After these operation result set will get unload to View through view engine.

Responsibility of view engine

• View Engine get the request from Controller
• The requested page will get executed
• The result got by the execution process will get deliver to View.

Life cycle of MVC
Life Cycle of MVC is in the following figure.

Explanation of MVC Life Cycle
Step 1. User will make request for page
Step 2. Route.Config will get check on Controller
Step 3. After Route.Config validation request will get transfer from Controller to Model
Step 4. Page request will go to Model & on Model the following operation will perform.

• Page initialization will start after the initialization of the page.
• One result set will get generated.

Step 5. Generated result set will be delivered to the Controller from the Model.
On Model Page validation operation will perform.

Step 6. After page validation on controller, Page will deliver to View through View engine.

Step 7. Now user can see requested page as response page.
Life Cycle of MVC can be seen as in the following figure.

Explanation

• User will make page request.
• Route.Config of requested page will get checked on Controller.
• Page initialization will be performing on Model and after page initialization one result set will get generated.
• Generated Result set will be getting delivered to the Controller from Model.
• Result set will get validated (Page Validation) and after page validation Result set will get delivred to View through view engine.

Recap
MVC Stands for Model View Controller, which is a design pattern. MVC based developed application will get divided in 3 components. Each and every component will contain their own code only.

In this article, we will learn how to create an ASP.NET Core MVC web application step by step. Prior to creating the application, let's know about the ASP.NET Core.

What is ASP.NET Core?
ASP.NET Core is an open-source cross-platform framework for developing and building web, cloud, and IoT applications.

Why should we use ASP.NET Core?

• ASP.NET is an open-source platform that runs on Microsoft .NET Core Framework.
• We can build and run the ASP.NET core application on a cross-platform environment such as Windows, macOS, Linux, etc.
• We can build modern apps such as Cloud, IoT, Web apps, mobile backend, etc. and those can be easily enabled to run over the cloud platform.
• We can host applications on any modern platform such as docker, AKS, or any environment.
• Saves the efforts of the developer with built-in features such as dependency injection, you can enable docker, containerization, and swagger support in just one click.

Now let's start creating an ASP.NET Core MVC web application.

Step 1. Open Visual Studio.
Open Visual Studio ( I am using 2019)
Once the Visual Studio Opens, Then click on Continue Without Code as shown in the following image.

Then from the Visual Studio Menu, click on File => New Project, as shown in the following image.

Click on the New Project, then the following window appears as shown in step 2.

Step 2. Choose Project Template
You will see the two project templates.

• ASP.NET Core Web App: This project template creates the web application with Razor pages without a Model, View, or Controller.
• ASP.NET Core Web App (Model-View-Controller): This project template creates the web application with Model, View, Controller (MVC).

Choose the ASP.NET Core Web App(Model-View-Controller) Template as shown in the following image.

After choosing the project template click on Next.

Step 3. Define Project Name and Location
In the project configuration window, you will see the following options.

• Project Name: Define any name for your project as per your choice.
• Location: Choose the location to save the project files on your hard drive of the machine. I have chosen the Project/VS folder of the E drive of the machine, and obviously, it's different on your computer.
• Solution Name: The solution name is auto-defined based on the project name, but you can change the name based on your own choice.

Additionally, there is a checkbox, if you have checked it, then the solution file (.sln) and project files will be saved in the same folder. Now Choose the minimum details for ease of understanding as shown in the following image.

After defining the required details, click on the Next.

Step 4. Choose the Target Framework
Choose the target framework .NET 5 which is the latest or you can choose based on your requirements, skip the other details for ease of understanding as shown in the following image.

After providing the required details, click the create button. It will create the ASP.NET Core MVC web application as shown in step 5.

Step 5. Understanding ASP.NET Core MVC Folder Structure
The following is the default folder structure of the ASP.NET Core ASP.NET MVC application.

Let's understand the preceding project folder structure in brief.

• The wwwroot folder: The wwwroot is the default root folder for storing the static files related to the project and those files can be accessed programmatically with a relative path.
• Controller Folder: The controller folder contains the controller classes where the operation-related code is written.
• Model Folder: The Models Folder contains the domain or entity classes. Models can be written anywhere in the solution such as in a separate class library or folder etc.
• Views Folder: The Views folder holds the razor pages which are responsible for showing and getting the data from the users.
• The appsettings.json File: The appsettings.json folder contains the configuration and secret details of the application.
• Program.cs File: The Program.cs is the starting point of the application which will create the host for an application to run the application.
• Startup.cs File: The Startup.cs file allows to configuration of the behavior of the application such as defining the routes, dependency injection, etc.

Step 6. Run the ASP.NET Core MVC Application
You can run the application with default contents or let open the Index.cshtml file and put some contents there. Now press F5 on the keyboard or use the run option from Visual Studio to run the application in the browser. After running the application, it will show in the browser as shown in the following image.|

This article shows how to determine what version of ASP.NET MVC is being used in your existing MVC application.At Runtime

There are the following two ways to get the version of your MVC application.

• At design time
• At runtime

At design time
To get the version of your MVC application at design time use the following procedure.
Go to the project in the Solution Explorer.

Expand references.

Right-click on "System.Web.Mvc" and select properties.

Now you will see the version property.

At Runtime
To get the version of your MVC you can use the following code.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;

namespace MVCVersion.Controllers
{
    public class HomeController : Controller
    {
        // GET: /Home/

        public string Index()
        {
            return "<b>Version of your MVC is: " + typeof(Controller).Assembly.GetName().Version.ToString() + "</b>";
        }

    }
}

typeof(Controller)
    .Assembly
    .GetName()
    .Version
    .ToString()

The preceding line of code provides the version of your MVC.

Output

An ASP.NET Core MVC application can be protected against DoS (Denial of Service) attacks by implementing a number of solutions, each of which addresses a different component of possible vulnerability. These are the standard methods.

1. Throttling and rate limitation

• Rate limitation stops malevolent users from flooding the server with requests by restricting the amount of requests a client can make in a certain amount of time.
• Rate limitation can be implemented by middleware or third-party libraries such as AspNetCoreRateLimit.

Using AspNetCoreRateLimit as an example
dotnet add package AspNetCoreRateLimit

Configure it in Startup.cs
public void ConfigureServices(IServiceCollection services)
{
    services.AddMemoryCache();
    services.Configure<IpRateLimitOptions>(options =>
    {
        options.GeneralRules = new List<RateLimitRule>
        {
            new RateLimitRule
            {
                Endpoint = "*",
                Limit = 1000,
                Period = "5m"
            }
        };
    });
    services.AddInMemoryRateLimiting();
    services.AddSingleton<IRateLimitConfiguration, RateLimitConfiguration>();
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.UseIpRateLimiting();
}

2. Request Size Limiting
Limit the size of requests to prevent large payloads from being used to exhaust server resources.

In Program.cs or Startup.cs
services.Configure<IISServerOptions>(options =>
{
    options.MaxRequestBodySize = 10 * 1024; // Set limit to 10KB
});

services.Configure<KestrelServerOptions>(options =>
{
    options.Limits.MaxRequestBodySize = 10 * 1024; // 10KB
});

3. Timeout Configuration
Set proper timeout values for requests to avoid long-running connections that could hog resources.

In Startup.cs
services.AddHttpClient("myClient")
    .SetHandlerLifetime(TimeSpan.FromMinutes(5)) // Set handler timeout
    .AddPolicyHandler(Policy.TimeoutAsync<HttpResponseMessage>(TimeSpan.FromSeconds(10))); // Set HTTP request timeout

4. Input Validation
Properly validate user input to avoid potential DoS vulnerabilities caused by computational complexity or resource exhaustion.

• Validate the length, type, and format of input.
• Reject large or malformed data early in the request pipeline.

5. Captcha for Forms
Add CAPTCHAs (e.g., Google reCAPTCHA) to critical forms (login, registration, etc.) to prevent automated bots from generating large numbers of requests.
dotnet add package reCAPTCHA.AspNetCore
Configure in Startup.csservices.AddRecaptcha(options =>
{
    options.SiteKey = "your-site-key";
    options.SecretKey = "your-secret-key";
});
6. Distributed Caching for Load Balancing
Use caching to reduce the load on your server, thus preventing resource exhaustion. You can implement caching using MemoryCache, Redis, or NCache.Example using MemoryCacheservices.AddMemoryCache();

7. Use CDN for Static Resources
Offload static resources (images, CSS, JavaScript) to a Content Delivery Network (CDN) to reduce server load.

8. Web Application Firewall (WAF)
Use a WAF to inspect and filter traffic before it reaches your application. WAFs can block suspicious IP addresses, filter out malformed requests, and provide additional security against attacks.

9. Client-Side Caching
Implement proper cache headers to reduce unnecessary server requests by allowing browsers to cache resources.

10. HTTP/2 and Keep-Alive Settings
Tune server settings to prevent resource exhaustion. Ensure HTTP/2 is enabled, which multiplexes requests, and configure Keep-Alive settings.

Example in Startup.cs
services.Configure<KestrelServerOptions>(options =>
{
    options.Limits.KeepAliveTimeout = TimeSpan.FromMinutes(2);
});

Now we will implement the complete project for this article.

Step 1. Create a New ASP.NET Core MVC Project
Create a new ASP.NET Core MVC project via the.NET CLI or Visual Studio.
dotnet new mvc -n DoSAttackPrevention
cd DoSAttackPrevention
Step 2. Install Required NuGet PackagesInstall the necessary NuGet packages.
dotnet add package AspNetCoreRateLimit
dotnet add package reCAPTCHA.AspNetCore
Step 3. Configure Services in Startup.csModify Startup.cs to include the middleware and services.using AspNetCoreRateLimit;
using Microsoft.AspNetCore.HttpOverrides;
using reCAPTCHA.AspNetCore;

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        // Add MVC
        services.AddControllersWithViews();

        // Memory Cache for Rate Limiting
        services.AddMemoryCache();

        // Configure Rate Limiting Options
        services.Configure<IpRateLimitOptions>(options =>
        {
            options.GeneralRules = new List<RateLimitRule>
            {
                new RateLimitRule
                {
                    Endpoint = "*",
                    Limit = 100,
                    Period = "1m" // 100 requests per minute per IP
                }
            };
        });

        services.AddInMemoryRateLimiting();
        services.AddSingleton<IRateLimitConfiguration, RateLimitConfiguration>();

        // Add Recaptcha Service
        services.AddRecaptcha(options =>
        {
            options.SiteKey = "your-site-key";
            options.SecretKey = "your-secret-key";
        });

        // Configure Request Size Limit
        services.Configure<IISServerOptions>(options =>
        {
            options.MaxRequestBodySize = 10 * 1024; // 10 KB
        });

        services.Configure<KestrelServerOptions>(options =>
        {
            options.Limits.MaxRequestBodySize = 10 * 1024; // 10 KB
        });
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
            app.UseHsts();
        }

        app.UseHttpsRedirection();
        app.UseStaticFiles();

        app.UseRouting();

        app.UseIpRateLimiting(); // Apply Rate Limiting

        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllerRoute(
                name: "default",
                pattern: "{controller=Home}/{action=Index}/{id?}");
        });
    }
}

Step 4. Add Rate Limiting Configuration
In the appsettings.json file, add rate-limiting options.
{
  "IpRateLimit": {
    "EnableEndpointRateLimiting": true,
    "StackBlockedRequests": false,
    "HttpStatusCode": 429,
    "RealIpHeader": "X-Real-IP",
    "ClientIdHeader": "X-ClientId",
    "GeneralRules": [
      {
        "Endpoint": "*",
        "Period": "1m",
        "Limit": 100
      }
    ]
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  },
  "AllowedHosts": "*"
}

Step 5. Implement CAPTCHA in a Form (e.g., Login Form)
In the Login View (Views/Home/Login.cshtml), implement Google reCAPTCHA.
@using reCAPTCHA.AspNetCore
@inject IRecaptchaService _recaptcha
@{
    var recaptchaResult = await _recaptcha.Validate(Request);
}

<form asp-controller="Home" asp-action="Login" method="post">
    <div class="form-group">
        <label for="Username">Username</label>
        <input type="text" class="form-control" id="Username" name="Username" required>
    </div>
    <div class="form-group">
        <label for="Password">Password</label>
        <input type="password" class="form-control" id="Password" name="Password" required>
    </div>

    <!-- Google reCAPTCHA -->
    <div class="g-recaptcha" data-sitekey="your-site-key"></div>

    <button type="submit" class="btn btn-primary">Login</button>
</form>

@section Scripts {
    <script src="https://www.google.com/recaptcha/api.js" async defer></script>
}

Step 6. Handle CAPTCHA Validation in the Controller
In the HomeController (Controllers/HomeController.cs), validate the CAPTCHA.using Microsoft.AspNetCore.Mvc;
using reCAPTCHA.AspNetCore;

public class HomeController : Controller
{
    private readonly IRecaptchaService _recaptcha;

    public HomeController(IRecaptchaService recaptcha)
    {
        _recaptcha = recaptcha;
    }

    [HttpPost]
    public async Task<IActionResult> Login(string username, string password)
    {
        var recaptchaResult = await _recaptcha.Validate(Request);
        if (!recaptchaResult.success)
        {
            ModelState.AddModelError(string.Empty, "CAPTCHA validation failed.");
            return View();
        }

        // Perform login logic here (e.g., validate username/password)

        return RedirectToAction("Index");
    }

    public IActionResult Index()
    {
        return View();
    }
}
Step 7. Implement Input Validation
Ensure that proper validation is applied to forms. For example, in the login form above, you can add validation attributes in the model or controller.
[Required]
[MaxLength(50)]
public string Username { get; set; }
[Required]
[MinLength(6)]
public string Password { get; set; }

Step 8. Configure Caching (Optional)
You can implement caching to reduce server load.services.AddMemoryCache();

Step 9. Build and Run the Project
You can now run the project.dotnet run
The project demonstrates rate limiting, request size limiting, and CAPTCHA integration, which are essential measures to prevent DoS attacks. You can extend this further by adding distributed caching (e.g., Redis) and a WAF.

Attribute routing is a potent feature in ASP.NET Core that lets you explicitly define routing information on controller activities. Compared to traditional routing, this offers more flexibility and control over how HTTP requests are routed to your API endpoints. This is a summary of attribute routing's functions and how to use it in your.NET Core API.

Attribute Routing: What is It?
With attribute routing, you may use attributes to construct routes directly on your action methods or controllers. This method can help make routing easier to comprehend and control because it is more explicit.

How to use Attribute Routing?
1. Basic Attribute Routing
You can apply routing attributes directly to action methods and controllers. For example.

[ApiController]
[Route("api/[controller]")]
public class ProductsController : ControllerBase
{
    // GET api/products
    [HttpGet]
    public IActionResult GetAllProducts()
    {
        // Implementation
    }
    // GET api/products/5
    [HttpGet("{id}")]
    public IActionResult GetProductById(int id)
    {
        // Implementation
    }
    // POST api/products
    [HttpPost]
    public IActionResult CreateProduct([FromBody] Product product)
    {
        // Implementation
    }
}

Controller Route: [Route("api/[controller]")] sets the base route for all actions in the controller. [controller] is a placeholder that gets replaced with the name of the controller (e.g., Products).
Action Routes: [HttpGet], [HttpGet("{id}")], [HttpPost] specify the HTTP methods and the routes for the actions.

2. Route Parameters
You can use route parameters in the attribute routing to capture values from the URL.

[HttpGet("search/{query}")]
public IActionResult SearchProducts(string query)
{
    // Implementation
}

Route Parameter: {query} in the route template will capture the value from the URL and pass it to the action method.

3. Optional Parameters
To make route parameters optional, use the following syntax.
[HttpGet("items/{id?}")]
public IActionResult GetItemById(int? id)
{
    // Implementation
}

Optional Parameter: {id?} makes the id parameter optional.

4. Route Constraints
You can add constraints to route parameters to enforce specific patterns.
[HttpGet("products/{id:int}")]
public IActionResult GetProductById(int id)
{
    // Implementation
}

Route Constraint: {id:int} ensures that the id parameter must be an integer.

5. Route Prefixes and Constraints at Controller Level
You can also set route prefixes and constraints at the controller level.
[ApiController]
[Route("api/[controller]/[action]")]
public class OrdersController : ControllerBase
{
    [HttpGet]
    public IActionResult GetAllOrders()
    {
        // Implementation
    }

    [HttpGet("{id:int}")]
    public IActionResult GetOrderById(int id)
    {
        // Implementation
    }
}

Action Route: [action] is replaced with the action method name in the route URL.

6. Combining Routes
You can combine routes and use route templates to create complex routing scenarios.
[ApiController]
[Route("api/[controller]")]
public class CustomersController : ControllerBase
{
    [HttpGet("{customerId}/orders/{orderId}")]
    public IActionResult GetCustomerOrder(int customerId, int orderId)
    {
        // Implementation
    }
}

Benefits of Attribute Routing
Clarity and Control: Route definitions are more explicit and closely related to their corresponding actions, making it easier to understand and manage routes.
Flexibility: Allows for more complex routing scenarios, including optional and default parameters, constraints, and combined routes.
Customization: Facilitates precise control over route templates and endpoints.

Combined Route
The route combines customerId and orderId parameters to define a more specific endpoint.

Several forms to manage modal popups can result in repetitive code and more maintenance work. We'll look at how to centralize modal popup code in a.NET MVC application in this blog post. This will let you define the modal once and utilize it in other places in your project. We will cover how to create a modal's partial view, add it to various sites, and effectively handle modal triggers. You will have a better structured and manageable method for dealing with modal popups in your.NET MVC apps at the end of this article.

You can centralize the modal popup code and utilize it throughout your application to avoid repeating it in every form. Here's how to go about it.

Establish a Partial Model View
The modal code can be included in a partial view that you design. You can add this partial view to any page that requires a modal.

Steps
Create Partial View
Right-click on the Views/Shared folder (or any other folder) and select Add -> View.
Name the view _DeleteModal.cshtml.
In the view, add the modal code.

    <div class="modal-dialog">
        <div class="modal-content">
            <div class="modal-header">
                <h5 class="modal-title">
                    <asp:Label ID="ltrlDelHead" Text="Are You Sure, You want to Delete This?" runat="server"></asp:Label>
                </h5>
                <button type="button" class="bootbox-close-button close" data-dismiss="modal" aria-hidden="true">×</button>
            </div>
            <div class="modal-body">
                <div class="bootbox-body">
                    <div class="bootbox-form"></div>
                </div>
            </div>
            <div class="modal-footer">
                <button type="button" class="btn btn-link" data-dismiss="modal">Cancel</button>
                <asp:LinkButton ID="lnkRecordDelete" class="btn bg-danger" runat="server" OnClick="lnkRecordDelete_Click">Delete</asp:LinkButton>
            </div>
        </div>
    </div>

Include Partial View in Your Pages
In any view where you want to use this modal, simply include the partial view.
@Html.Partial("_DeleteModal")

Alternative Using Layout or Master Page
If you need this modal on many pages, you can add the modal code directly to your layout or master page so it’s available throughout your application.

Steps
Open your Layout.cshtml (or master page if using WebForms).
Add the modal code before the closing </body> tag.

<div class="modal fade" id="deleteModal" tabindex="-1" role="dialog" aria-hidden="true">
   @Html.Partial("_DeleteModal")
</div>

Then, use JavaScript or server-side logic to trigger this modal when needed.

Triggering the Modal
To trigger the modal from different parts of your application, you can use JavaScript or server-side code to open it when required.
$('#deleteModal').modal('show');

This approach centralizes the modal code, making your application more maintainable and easier to manage. Now, you only need to update the modal in one place if any changes are required.

Nearly all of the information you need to know about action selectors in ASP.NET MVC action methods is covered in this article. I'm producing this post to explain to you the most important, fundamental, and advanced ideas of action selectors.

Overview and Context
The characteristics that can be added to action methods to affect the choice of action method are known as action selectors. Which action methods are called in response to an HTTP request are determined by action selectors. As you may have observed in my earlier post, "MVC Architecture and its Pipeline," under the "Pipeline in MVC" section, the HTTP request first reaches "Routing," then "Controller Initialization," and finally "Action Execution." The rendering of the view is thereby limited to the "Result Execution." Action selectors are used in the section titled "Action Execution" and are crucial in determining which action method is best for handling a given HTTP request. Now let's examine action methods.

Which action methods are there?
The controller's action methods are those whose names must coincide with the method names in the request URL. Following the execution of the request, these methods produce the response. A controller may have numerous action methods. Additionally, you can designate a controller's default action method for handling requests.

What do you mean by action selectors?
A certain action method needs to be chosen in the answer to a request sent to the routing engine. Therefore, action selectors are in charge of choosing this course of action. Because of the attribute applied above the action method, the action selector does its job. Let's examine the many kinds of action selectors.

Types of action selectors
There are three types of action selectors

• NonAction
• ActionName
• ActionVerbs

Name of Action
An action selector called the [ActionName] attribute is used to change the name of the action method. When we want that action method to be called by a different name than the method's real name, we utilize the [ActionName] attribute. The example that follows shows you how to use an action method that was originally named "Time." Let's make the ActionSelectorsDemo project. Choose "Visual C#," then "ASP.NET Web Application," then give the project a name and click "OK."

Select “Empty” and mark “MVC” then click OK, as shown below.

The project is created successfully. Now, create a Controller as shown below.

Select the type of Controller as “MVC 5 Controller – Empty” and click “Add”.

Then, give the name of the Controller and click “Add”.

Make the following changes in the Index action method of the HomeController, as shown below in the screenshot.

Now, the project is ready to take a look at a practical example of [ActionName] action selector. Now, let’s add an action method with the name of “Time” whose purpose is to print the current time. See the code below.

public String Time() {
    return @"Current Time is: " + DateTime.Now;
}

When you build and run the application with this /Home/Time URL, you should see the following output.

Now we are going to use the [ActionName] attribute with the “Time” action method. See the code below.
[ActionName("GetTime")]
public String Time() {
    return @"Current Time is: " + DateTime.Now;
}
Now build and run the application with this /Home/Time URL, you should see the following error, it is because of the [ActionName] action selector.

By using this action selector, you have changed the name of the action method, now the URL /Home/GetTime only works instead of /Home/Time. See the output below.

Hence you have seen that the [ActionName] action selector can change the name of the action method.

NonAction
[NonAction] attribute is an action selector that indicates a public method of the controller is not an action method. We use the [NonAction] attribute when we want a method that shouldn’t be treated as an action method.

As you know, the Controller contains the methods that are public and are termed action methods because of one-to-one mapping with the HTTP-requested URL. But when you want that, any method of Controller shouldn’t be treated as an action method, then you have to use the [NonAction] attribute.

Example
Now let’s make some changes in the HomeController of ActionSelectorsDemo project. Add another method named “GetTimeMethod” whose responsibility is also to print the current time. And then call this newly added method into the “Time” action method. You can see the code of both action methods below.
[ActionName("GetTime")]
public String Time() {
    return GetTimeMethod();
}
public String GetTimeMethod() {
    return @"Current Time is: " + DateTime.Now;
}

Now observe the output, after building and running the application. When we run the application with this /Home/Time URL, we’ll see an error because we are bound to use the name “GetTime” for this action method because of the [ActionName] action selector. Now when you run the application with this /Home/GetTimeMethod, you should see the output given below.

As you have seen, you are still able to access GetTimeMethod while there is no need to access it because it is producing the same output as produced by the “GetTime” action method. So we need to restrict its access by using the [NonAction] action selector because it makes the method a non-action method. So it can’t be called in the request URL at all. Let’s see its example. The code of the “GetTimeMethod” method will become as follows.

[NonAction]
public String GetTimeMethod() {
    return @ "Current Time is: " + DateTime.Now;
}

So the output will become.

So as you have seen, the [NonAction] action selector is used to make an action method Non-Action method.

ActionVerbs

You have seen in the beginning of this article what actions are. And you should also know “Verbs” which are defined as “words which are used to describe an action, state or occurrence of an event”. So as the name suggests, “ActionVerbs” can be defined as “the words that describe the action, purpose, and state of the action method of a Controller”. Now, let’s move towards its technical explanation.

When an HTTP request comes to the controller on a specific action method, then this selector helps us to select the correct action method based on the HTTP requested method. It also helps us to create more than one action method with the same name, also referred to as overloading. So to differentiate these action methods, we use action verbs. We’ll see its example later in this article.

MVC framework supports different ActionVerbs, shown as follows.

• HttpGet: It is used to get information from the server. When this applies to the action method, it restricts the action method to accept only HTTP GET requests.
• HttpPost: It is used to post information on the server. When this applies to the action method, it restricts the action method to accept only HTTP POST requests.
• HttpPut: It is used to create or replace existing information on the server, but can’t update. And when this applies to the action method, it restricts the action method to accept only HTTP PUT requests.
• HttpDelete: It is used to delete any existing information from the server. When this applies to an action method, it restricts the action method to accept only HTTP Delete requests.
• HttpPatch: It is used to fully or partially update any existing information on the server. When this applies to the action method, it restricts the action method to accept only HTTP Patch requests.
• HttpOptions: It is used to represent information about the options of the communication that are supported by the web server.

Action verbs are very popular in using APIs. In the MVC framework, if you don’t apply any attribute of the action selector on the top of the action method when the method is called from the HTTP request, then that HTTP request will behave like a HttpGet request by default.

Conclusion
I hope this article has helped you understand all the concepts of action selectors in ASP.NET MVC. And stay tuned for my next article. If you have any queries then feel free to contact me in the comments section. Also, giving feedback, either positive or negative, will help me to make my articles better and increase my enthusiasm to share my knowledge.

We can regulate the session state behavior in ASP.NET MVC with the aid of the SessionState Attribute. Using this property, we may set the session state to read-only, required, or disabled for the controller. We can only use this attribute at the controller level because it is a class level attribute. A controller's action methods may behave differently from the controller session state behavior in some cases. The following solution is quite helpful in this situation. Thus, in ASP.NET MVC, we may implement a session state behavior for each action.

Problem Synopsis
The SessionState property allows us to regulate the behavior of the session state, however it is only applicable at the controller level. This indicates that the session state behavior is the same for all of the controller's action methods. What is the course of action to take now that certain controller action methods do not require a session while others do?

Resolution
In this case, all the action methods that share the same session state behavior can be moved to a distinct controller class and made. This is a poor course of action. Alternatively, we may override the session state behavior for that particular action method by creating a custom action property.

To create a custom action attribute that overrides the session state's behavior, follow these steps.

First, make a custom attribute.

    [AttributeUsage(AttributeTargets.Method, AllowMultiple = false, Inherited = true)]  
    public sealed class ActionSessionStateAttribute : Attribute  
    {  
        public SessionStateBehavior Behavior { get; private set; }   
        public ActionSessionStateAttribute(SessionStateBehavior behavior)  
        {  
            this.Behavior = behavior;  
        }  
    } 

Step 2: Create custom controller factory
    public class CustomControllerFactory : DefaultControllerFactory  
    {  
        protected override SessionStateBehavior GetControllerSessionBehavior(RequestContext requestContext, Type controllerType)  
        {  
            if (controllerType == null)  
            {  
                return SessionStateBehavior.Default;  
            }  
            var actionName = requestContext.RouteData.Values["action"].ToString();  
            MethodInfo actionMethodInfo;  
            actionMethodInfo = controllerType.GetMethod(actionName, BindingFlags.IgnoreCase | BindingFlags.Public | BindingFlags.Instance);  
            if (actionMethodInfo != null)  
            {  
                var actionSessionStateAttr = actionMethodInfo.GetCustomAttributes(typeof(ActionSessionStateAttribute), false)  
                                    .OfType<ActionSessionStateAttribute>()  
                                    .FirstOrDefault();  
       
                if (actionSessionStateAttr != null)  
                {  
                    return actionSessionStateAttr.Behavior;  
                }  
            }  
            return base.GetControllerSessionBehavior(requestContext, controllerType);  
        }  
    }  

Step 3: Register custom controller factory in Global.asax
    protected void Application_Start()  
    {  
        AreaRegistration.RegisterAllAreas();  
        RegisterGlobalFilters(GlobalFilters.Filters);  
        RegisterRoutes(RouteTable.Routes);  
        ControllerBuilder.Current.SetControllerFactory(typeof(CustomControllerFactory));  
    }

Step 4: Attribute usages
    [SessionState(System.Web.SessionState.SessionStateBehavior.Disabled)]    
    public class HomeController : Controller    
    {    
        public ActionResult Index()    
        {    
            ViewBag.Message = "Welcome to ASP.NET MVC!";    
            TempData["test"] = "session less controller test";    
            return View();    
        }  
        [ActionSessionState(System.Web.SessionState.SessionStateBehavior.Required)]    
        public ActionResult About()    
        {    
            Session["test"] = "session less controller test";    
            return View();    
        }    
    }