I'm playing around with ASP.NET MVC3 and I'm trying to do a simple Sign Up 'form'. Now, the kicker is that I'm trying to make it a Wizard with 2 steps.
- Authenticate with Facebook/Twitter/Your Fav OpenId provider.
- Fill in any missing data which I require (eg. email address and name).
Step 1 works 100% great :) So don't worry about that. Step 2 is where I have the questions.
So to the questions :-
- View is strongly typed. The Model is a Poco
USER
. It has anICollection<string>
OpenIds. I wish to only display the first one in the Razer View. (which was set in Step 1).
eg.
<div class="editor-label">
<label for="Identifier">Identifier</label>
</div>
<div class="editor-field">
@Html.LabelFor(x => x.OpenIds.FirstOrDefault())
</div>
But that gives me the following evil error :-
Templates can be used only with field access, property access, single-dimension array index, or single-parameter custom indexer expressions.
Secondly, I'm not sure if there's some security implementations I should consider .. because this is a SignUp
wizard to some regards - isn't it possible that the user can jump straight to step 2 (ie. HTTP-GET /authentication/new
) and not have provided an OpenId identity OR provide any one .. but because they skipped the first step (which sends the user to the OpenId website and back here again) ... they have avoided authentication. What steps should I provide to protect against this type of hack? I can't use the [Authorize]
attribute on either Step 1 or Step 2 because it's only at the end of step 2 (ie HTTP-POST /authentication/create
) .. do I finally FormsAuthentication.SignIn(..)
.
Phew! Did that make sense?
Cheers :)
LabelFor
is meant to provide a<label>
element for a normal<input>
.You shouldn't use it here.
Instead, you should use a normal HTML tag.
Check whether you actually got an OpenID.