Tienda Mi Cholo S.A.C uses two complementary security layers in tandem: ASP.NET Core Cookie Authentication for persistent, cryptographically signed identity across requests, and server-side sessions (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/interezante456-pixel/nuevo-proyecto-viernes/llms.txt
Use this file to discover all available pages before exploring further.
IDistributedMemoryCache) for lightweight, per-tab data such as the user’s display name and role string. Both layers are configured in Program.cs and activated together during the middleware pipeline. Every controller that requires login is guarded by the [Authorize] attribute; unauthenticated requests are automatically redirected to /Acceso/Login by the cookie middleware.
Logging In
The login page is served at/Acceso/Login and accepts an email address and a plain-text password. The form binds to the LoginVM view model.
Redirect to login
When a visitor navigates to any
[Authorize]-protected route without a valid authentication cookie, the cookie middleware intercepts the request and redirects to /Acceso/Login. The original URL is preserved in the ReturnUrl query parameter so the user lands back on the intended page after a successful login.Submit credentials
The user fills in their Correo Electrónico and Contraseña on the login form and clicks Iniciar Sesión. The form posts to
AccesoController.Login (HTTP POST).Look up the user
The controller queries the
Usuarios table, eager-loading the related Rol record, and searches for a row where CorreoUsuario and Contraseña match the submitted values:Handle not found
If no matching record is found,
ViewData["Mensaje"] is set to “Correo o contraseña incorrectos” and the login view is re-rendered with the error alert visible. No further action is taken.Handle deactivated account
If a matching record exists but
usuario.Estado == false, ViewData["Mensaje"] is set to “Su cuenta está desactivada. Contacte al administrador.” and the view is returned. The user cannot log in until an administrator re-enables the account.Build identity and sign in
On a successful match with an active account, the controller builds a claims list, creates a
ClaimsIdentity, and signs in the cookie:LoginVM view model
The login form is bound to the following view model, located inViewModels/LoginVM.cs:
<input> fields in the Razor view — type="email" for Correo and type="password" for Contraseña — so the browser performs basic format validation before the form is submitted.
Session Data
After a successful login two parallel stores carry user identity data for the duration of the session.Cookie claims
The authentication cookie contains a signedClaimsPrincipal with the following claims:
| Claim type | Value stored | Used for |
|---|---|---|
ClaimTypes.Name | NomUsuario | User.Identity.Name, sidebar avatar initial |
ClaimTypes.Email | CorreoUsuario | Programmatic email lookup |
ClaimTypes.Role | NomRol | [Authorize(Roles = "...")] checks, User.IsInRole(...) in views |
"IdUsuario" (custom) | ID_Usuario (int as string) | Linking actions to the logged-in user’s record |
"NomCompleto" (custom) | NomCompleto | Display name in the sidebar: User.FindFirst("NomCompleto")?.Value |
Server-side session keys
In addition to the cookie,AccesoController writes the following keys into the distributed in-memory session store:
| Key | Type | Value |
|---|---|---|
"Usuario" | string | NomUsuario |
"NomCompleto" | string | NomCompleto |
"Rol" | string | NomRol |
"IdUsuario" | int | ID_Usuario |
Session values can be read anywhere in the application via
HttpContext.Session.GetString("NomCompleto") or HttpContext.Session.GetInt32("IdUsuario"). They are stored server-side and are never transmitted to the browser directly.Session Timeout
The session is configured inProgram.cs with an idle timeout of 30 minutes:
| Setting | Value | Effect |
|---|---|---|
IdleTimeout | 30 minutes | Session is cleared server-side after 30 minutes of inactivity |
Cookie.HttpOnly | true | Session cookie is inaccessible to JavaScript, reducing XSS risk |
Cookie.IsEssential | true | Session cookie is always set, even when the user has not accepted optional cookies |
/Acceso/Login.
Logging Out
Logout is handled byAccesoController.Logout. The action clears the server-side session first, then revokes the authentication cookie, and finally redirects to the login page:
bi-box-arrow-right) and the Salir button in the top header. Both link to /Acceso/Logout.
Access Denied
When an authenticated user attempts to reach a route they are not authorised for (e.g., a non-administrator navigating to/Usuario/Lista), the cookie middleware redirects to /Acceso/AccesoDenegado instead of returning a bare HTTP 403 response. This path is set in Program.cs:
AccesoDenegado GET action in AccesoController simply returns its view, which renders a user-friendly page informing the user that they do not have the necessary permissions to access the requested resource and prompting them to return to the Dashboard.
Deactivated Accounts
EveryUsuario record has a boolean Estado column. When Estado = false the account is considered deactivated.
The check is performed immediately after a successful credential match:
AccesoController is decorated with [ResponseCache(Location = ResponseCacheLocation.None, NoStore = true)]. This instructs the browser never to cache any response from this controller — including the login page, the access-denied page, and the logout redirect. As a result, hitting the browser’s Back button after logging out will not restore a cached copy of a protected page; the browser will make a fresh request, which the cookie middleware will redirect back to /Acceso/Login.