public JsonResult Login(Login loginUser) { Response.ContentType = "application/json; charset=utf-8"; if (!ModelState.IsValid) { Response.StatusCode = 400; return(Json(new { message = "Bad request, please check your input and try again." }, JsonRequestBehavior.AllowGet)); } using (CauseDBContext db = new CauseDBContext()) { var matchedUsers = db.Members.FirstOrDefault(a => a.Email.Equals(loginUser.Email)); if (matchedUsers != null && Crypto.VerifyHashedPassword(matchedUsers.Password, loginUser.Password)) { Session["UserID"] = matchedUsers.ID.ToString(); Session["UserName"] = matchedUsers.Name.ToString(); // don't worry, this isn't actually used for any authorisation logic, just whether to display the admin menu link - the actual route is secured if (matchedUsers.Role == Role.Admin) { Session["admin"] = true; } Response.StatusCode = 200; return(Json(new { message = "Login complete, welcome back." }, JsonRequestBehavior.AllowGet)); } else { Response.StatusCode = 403; return(Json(new { message = "The username/password was incorrect. Please try again." }, JsonRequestBehavior.AllowGet)); } } }