public async Task<IActionResult> Login(LoginViewModel model)
{
if(ModelState.IsValid)
{
var result = await _signManager.PasswordSignInAsync(model.Username, model.Password, model.Remember, false);
if(result.Succeeded)
{
if(!string.IsNullOrEmpty(model.ReturnUrl)
&& Url.IsLocalUrl(model.ReturnUrl)) //This is important because it prevents OpenRedirect. OpenRedirects leave users open to phishing attacks
{
return Redirect(model.ReturnUrl);
}
else
{
return RedirectToAction("Index", "Home");
}
}
}
ModelState.AddModelError("", "Invalid login attempt.");
return View(model);
}
public IActionResult Login(string returnUrl = "")
{
var model = new LoginViewModel { ReturnUrl = returnUrl };
return View(model);
}