Check website visitor is authenticated in admin site

2024/08/14 6:57 PM

In some scenarios you might want to check if the current visitor is authenticated in the admin portal. This might be to adjust the website behaviour specifically for admin visitors.

Is there a Kentico API that we can use on the .NET front-end to detect if the visitor is authenticated in the admin site?

If not, I think just checking for the existence of the admin authentication cookie seems to work well:

var adminCookie = Request.Cookies[".AspNetCore.Xperience.Application"];

Are there any other suggestions?

Environment

  • Xperience by Kentico version: [29.3.0]
  • .NET version: [8]

Answers

2024/08/16 10:54 PM

@liamgold - do you mean determine if someone viewing a website channel is authenticated as an Xperience administration user?

There's a couple things you could check

  1. httpContext.Kentico().Preview().Enabled - this is true when viewing a web page in the "Preview" or "Page Builder" tab, which can only be done by an authenticated administration user
  2. If you are in an ASP.NET Core Controller, you can access ControllerBase.User which will have an ClaimsIdentity with an AuthenticationType value of Xperience.Application, set by the Xperience administration ASP.NET Core cookie. This is also accessible via IHttpContextAccessor.HttpContext.User.Identity.AuthenticationType if you are outside of a Controller.
2024/08/20 7:34 PM
Answer

Thanks Sean - yeah I want a way of knowing if the visitor to the website channel is currently authenticated to the Xperience administration portal. If the visitor is authenticated as an admin user, a ViewComponent on the master page will display different contents.

Your first recommendation wouldn't be sufficient as I want to utilise on the front-end, not preview/pagebuilder tabs.

I tried the second point but it was not returning the ClaimsIdentity for the admin portal at all.

After doing a little more digging, it seems this could be the best way:

var authenticateResult = await HttpContext.AuthenticateAsync(AdminIdentityConstants.APPLICATION_SCHEME);

if (authenticateResult.Succeeded &&
   authenticateResult.Principal?.Identity != null &&
   authenticateResult.Principal.Identity.IsAuthenticated)
{
   return View(ViewName);
}

return Content(string.Empty);

This lets me check if the user is already authenticated under a specific authentication scheme (using the constant Kentico internally uses).

2024/08/20 9:01 PM

Ah, yes, both of my suggestions will only work if you view the page from the Page Builder/Preview views, not directly through visiting a page in a website channel.

If you need "public" validation of the user's administration cookie, then your approach is the correct one.

But, don't forget - this will only work if you log in to the administration from the same domain that you use to browse a website.

Because the administration application is not a "site" or a "channel", you can access it from any domain/port that Kestrel answers requests on.

If you have multiple channels setup on different domains, you can log into the administration through any of them and the administration cookie will be set for the one you use. Your browser won't send that cookie when you visit a website channel that uses a different domain.

For this to work for all website channels, you would need to log into the administration from every website channel domain.

2024/08/21 7:08 PM

Thanks for the heads up on the different domains - I hadn't quite thought about that! I have added a note around that on the package I have created.

I created this package which adds an "Edit Page" button to the front-end website channel that allows logged in content editors quick and easy access to the page in the channel's content tree. The button appears at the bottom right.

To answer this question, you have to login first.