A secure, full-featured ASP.NET Core MVC e-commerce web application built with Entity Framework Core, ASP.NET Core Identity, and classic MVC architecture.
- Overview
- Architecture
- Project Structure
- Features
- Security Implementation
- Getting Started
- Default Credentials
- Technologies Used
ADO.NET OnlineShop is a small online shopping platform demonstrating secure web application development practices. It implements user registration/login with ASP.NET Core Identity, role-based authorization, product browsing, order placement, and customer reviews β all following the classic MVC (Model-View-Controller) pattern.
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β BROWSER β
βββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββΌββββββββββββββββββββββββββββββββ
β CONTROLLERS β
β HomeController AccountController β
β ProductController AdminController β
βββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββΌββββββββββββββββββββββββββββββββ
β SERVICES β
β IAccountService β AccountService β
β (Business Logic Layer) β
βββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββΌββββββββββββββββββββββββββββββββ
β DATA LAYER β
β ApplicationDbContext (EF Core InMemory) β
β ASP.NET Core Identity β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
OnlineShop/
βββ Controllers/
β βββ HomeController.cs # Landing page
β βββ AccountController.cs # Auth (Register/Login/Logout)
β βββ ProductController.cs # Product CRUD + Orders + Reviews
β βββ AdminController.cs # Admin dashboard
βββ Models/
β βββ ApplicationUser.cs # Identity user with Role
β βββ Product.cs # Product entity
β βββ Order.cs # Order entity
β βββ ProductReview.cs # Review entity
β βββ RegisterViewModel.cs # Registration form model
β βββ LoginViewModel.cs # Login form model
β βββ ProductReviewViewModel.cs # Review form model
βββ Data/
β βββ ApplicationDbContext.cs # EF Core context + seed data
βββ Services/
β βββ IAccountService.cs # Service interface
β βββ AccountService.cs # Auth business logic
βββ Views/
β βββ Home/Index.cshtml # Public landing page
β βββ Account/
β β βββ Register.cshtml # Registration form
β β βββ Login.cshtml # Login form
β β βββ AccessDenied.cshtml # 403 page
β βββ Product/
β β βββ Index.cshtml # Product catalog
β β βββ Details.cshtml # Product detail + reviews
β βββ Admin/Dashboard.cshtml # Admin panel
β βββ Shared/_Layout.cshtml # Bootstrap navbar layout
βββ Program.cs # App configuration & DI
- ASP.NET Core Identity with Cookie-based authentication
- Role-based access control (Admin / Customer)
[Authorize]and[Authorize(Roles = "Admin")]route protection- Automatic redirect to login with
ReturnUrlfor unauthorized access
- Client-side + Server-side validation on all forms
- Password complexity enforcement (uppercase, lowercase, digit, special char)
- Brute-force protection: Account lockout after 5 failed attempts (5-minute lock)
- Passwords hashed automatically by ASP.NET Core Identity
- Public product catalog with 5 seeded products
- Product detail pages with stock information
- Authenticated order placement with stock validation
- Customer review system (1-5 star rating + comments)
- Protected admin panel at
/Admin/Dashboard - Real-time counts: Total Users, Total Orders, Total Products
- SQL Injection Prevention: 100% EF Core LINQ queries β zero raw SQL
- XSS Prevention: Razor auto-encodes all output;
@Html.AntiForgeryToken()on all POST forms - CSRF Protection: All state-changing requests require anti-forgery tokens
- Input Validation: Both HTML5 client-side and Data Annotation server-side validation
- Secure Logout:
SignOutAsync()clears authentication cookies completely
| Threat | Mitigation |
|---|---|
| SQL Injection | EF Core LINQ exclusively β no FromSqlRaw, no string concatenation |
| XSS (Cross-Site Scripting) | Razor auto HTML-encoding; no @Html.Raw() on user content |
| CSRF (Cross-Site Request Forgery) | [ValidateAntiForgeryToken] + @Html.AntiForgeryToken() on all POST forms |
| Brute Force | Identity lockout: 5 failed attempts β 5-minute lockout |
| Password Storage | ASP.NET Core Identity PBKDF2 hashing (never custom) |
| Unauthorized Access | Role-based [Authorize] attributes; AccessDenied handling |
# Clone the repository
git clone https://github.com/DibyaGit/ADO.NET-OnlineShop.git
cd ADO.NET-OnlineShop
# Restore dependencies
dotnet restore
# Run the application
dotnet runThe application starts at https://localhost:5001 (or the port shown in your terminal).
dotnet build| Role | Password | |
|---|---|---|
| Admin | admin@shop.com | Admin@123 |
| Customer | customer@shop.com | Customer@123 |
New registrations are automatically assigned the Customer role.
This project uses Entity Framework Core InMemory Database β no external database setup required. Data is seeded on startup:
| Product | Price |
|---|---|
| Wireless Mouse | $29.99 |
| Mechanical Keyboard | $79.99 |
| USB-C Hub | $45.00 |
| Laptop Stand | $35.50 |
| Webcam 1080p | $59.99 |
| Technology | Purpose |
|---|---|
| ASP.NET Core 10.0 MVC | Web framework |
| Entity Framework Core | ORM / Data access |
| EF Core InMemory | Database provider |
| ASP.NET Core Identity | Authentication & user management |
| Bootstrap 5 | UI styling |
| jQuery Validation | Client-side form validation |
| Razor | View engine |
MIT Β© DibyaGit