Master technical and career interviews with structured answers—short definition, real examples, pitfalls, and how to answer in 60–90 seconds.
.Value; What interviewers expect A clear definition tied to ASP.NET Core in ASP.NET Core projects Trade-offs (performance, maintainability, security, cost) When you would and would not use it in production Real-world exa…
Answer: wait HttpContext.SignInAsync(principal); Cookies are stored in the browser and sent with each request. What interviewers expect A clear definition tied to ASP.NET Core in ASP.NET Core projects Trade-offs (perform…
Used in traditional MVC apps for session-based auth. services.AddAuthentication(CookieAuthenticationDefaults.Authenticati onScheme) .AddCookie(options => { options.LoginPath = "/Account/Login"; }); On login: await Htt…
Answer: lso supports: Facebook Microsoft Twitter OpenID Connect Azure AD Use RemoteAuthenticationHandler<T> or Identity scaffolding. What interviewers expect A clear definition tied to ASP.NET Core in ASP.N…
Use built-in providers: services.AddAuthentication() .AddGoogle(options => { options.ClientId = "..."; options.ClientSecret = "..."; }); Also supports: Facebook Microsoft Twitter OpenID Connect Azure AD Use RemoteAuth…
Used with JWT to renew access tokens after expiration without logging in again. Issue refresh token along with access token. Store securely (DB or secure HTTP-only cookie). On access token expiration, send refresh token…
JWTs typically expire in 5–30 minutes. Expired tokens cannot be used. Revocation requires token blacklisting (e.g., database of revoked tokens). ✅ Configure expiration: Expires = DateTime.UtcNow.AddMinutes(30) ✅ Use refr…
Answer: [Authorize]: Requires authenticated user [Authorize(Roles = "Admin")]: Requires role [AllowAnonymous]: Allows access without login Example: [Authorize] public IActionResult Dashboard() { } [AllowAnonymous] public…
Answer: uthorizationHandler<MinimumAgeRequirement> { protected override Task HandleRequirementAsync(...) { // logic } } Register in DI and use with [Authorize(Policy = "...")]. What interviewers expect A cl…
Define complex authorization rules using IAuthorizationHandler: public class MinimumAgeRequirement : IAuthorizationRequirement { public int Age { get; } public MinimumAgeRequirement(int age) => Age = age; public class…
SP.NET Core uses Data Protection API to: Encrypt authentication cookies Protect tokens (e.g., password reset tokens) Configure: services.AddDataProtection() .PersistKeysToFileSystem(new DirectoryInfo("path")) .SetApplica…
Multi-tenancy can involve: Per-tenant databases Per-tenant user stores Per-tenant roles/policies Strategies: Use claims to store tenant ID Filter data per tenant Custom middleware for tenant resolution Can integrate with…
SP.NET Core Identity uses PBKDF2 hashing by default. Best practices: Never store plaintext passwords Use salted + hashed storage Use PasswordHasher<T> or Identity defaults Use: PasswordHasher<T>.HashPassword(…
Supported out of the box in ASP.NET Core Identity. Options: SMS (via provider) Email Authenticator app (TOTP) Enable via Identity configuration: services.Configure<IdentityOptions>(options => { options.SignIn.Re…
Filters are components that run code before or after certain stages in the request pipeline within MVC or Razor Pages. Types of filters include: Authorization filters: Run before any other filter to check user authorizat…
Middleware is part of the global HTTP request pipeline and executes for every request. Filters only run within MVC/Razor pipeline, for controller actions or Razor Pages handlers. Middleware runs earlier and can short-cir…
Filters run in a specific order depending on their type: Authorization filters run first. Resource filters run next. Model binding happens after resource filters. Action filters run around the action execution. Exception…
Create a custom filter by implementing one of the filter interfaces like: public class CustomActionFilter : IActionFilter { public void OnActionExecuting(ActionExecutingContext context) { // Before action executes } publ…
Answer: ctions. Global filters are best for cross-cutting concerns like logging, exception handling. Controller/action filters are best for behavior specific to particular routes or endpoints. What interviewers expect A…
Global filters apply to all MVC actions, registered via AddControllers or AddMvc options. Controller or action filters are applied via attributes directly on controllers or actions. Global filters are best for cross-cutt…
Filters receive context objects (e.g., ActionExecutingContext) providing: HTTP context and request data. Access to action parameters. Ability to modify or cancel execution (e.g., short-circuit). Access to the result or e…
Filters can short-circuit by setting the result early, preventing further execution: public void OnActionExecuting(ActionExecutingContext context) { if (!IsAuthorized()) { context.Result = new UnauthorizedResult(); // st…
Filter attributes are instantiated per request and support parameters, but have limited DI capabilities. Service-based filters (using ServiceFilter or TypeFilter) allow filters to be resolved from DI container, enabling…
uthentication). Use filters for MVC-specific concerns tied to action execution (authorization, validation, caching). Filters can complement middleware for granular control within MVC. Example: Use middleware for global e…
Use middleware for concerns that affect all requests (logging, CORS, authentication). Use filters for MVC-specific concerns tied to action execution (authorization, validation, caching). Filters can complement middleware…
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
.Value;
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Answer: wait HttpContext.SignInAsync(principal); Cookies are stored in the browser and sent with each request.
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Used in traditional MVC apps for session-based auth.
services.AddAuthentication(CookieAuthenticationDefaults.Authenticati
onScheme)
.AddCookie(options => {
options.LoginPath = "/Account/Login";
});
On login:
await HttpContext.SignInAsync(principal);
Cookies are stored in the browser and sent with each request.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Answer: lso supports: Facebook Microsoft Twitter OpenID Connect Azure AD Use RemoteAuthenticationHandler<T> or Identity scaffolding.
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Use built-in providers:
services.AddAuthentication()
.AddGoogle(options => {
options.ClientId = "...";
options.ClientSecret = "...";
});
Also supports:
Use RemoteAuthenticationHandler<T> or Identity scaffolding.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Used with JWT to renew access tokens after expiration without logging in again.
You must manually implement refresh token logic (not built-in to Identity).
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
✅ Configure expiration:
Expires = DateTime.UtcNow.AddMinutes(30)
✅ Use refresh tokens to handle expiration.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Answer: [Authorize]: Requires authenticated user [Authorize(Roles = "Admin")]: Requires role [AllowAnonymous]: Allows access without login Example: [Authorize] public IActionResult Dashboard() { } [AllowAnonymous] public IActionResult Login() { }
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Answer: uthorizationHandler<MinimumAgeRequirement> { protected override Task HandleRequirementAsync(...) { // logic } } Register in DI and use with [Authorize(Policy = "...")].
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Define complex authorization rules using IAuthorizationHandler:
public class MinimumAgeRequirement : IAuthorizationRequirement {
public int Age { get; }
public MinimumAgeRequirement(int age) => Age = age;
public class MinimumAgeHandler :
AuthorizationHandler<MinimumAgeRequirement> {
protected override Task HandleRequirementAsync(...) {
// logic
Register in DI and use with [Authorize(Policy = "...")].
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
SP.NET Core uses Data Protection API to:
Configure:
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo("path"))
.SetApplicationName("AppName");
Used internally by Identity and cookie middleware.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Multi-tenancy can involve:
Strategies:
Can integrate with IdentityServer4 or Azure AD B2C for federated auth.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
SP.NET Core Identity uses PBKDF2 hashing by default.
Best practices:
Use:
PasswordHasher<T>.HashPassword(user, password)
Can switch to Argon2, Bcrypt via custom password hasher.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Supported out of the box in ASP.NET Core Identity.
Options:
Enable via Identity configuration:
services.Configure<IdentityOptions>(options => {
options.SignIn.RequireConfirmedEmail = true;
});
Use SignInManager<T> to handle verification and token generation.
Filters & Middleware Overlaps
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Filters are components that run code before or after certain stages in the request pipeline
within MVC or Razor Pages. Types of filters include:
Filters allow you to inject logic at these specific points.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
request.
handlers.
scoped to MVC processing.
for concerns around controller/action execution.ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Filters run in a specific order depending on their type:
Within each type, filters can be ordered by their Order property and whether they are global,
controller-level, or action-level.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Create a custom filter by implementing one of the filter interfaces like:
public class CustomActionFilter : IActionFilter
{
public void OnActionExecuting(ActionExecutingContext context)
{
// Before action executes
}
public void OnActionExecuted(ActionExecutedContext context)
{
// After action executes
}
}
Register globally in Startup:
services.AddControllersWithViews(options =>
{
options.Filters.Add<CustomActionFilter>();
});
Or decorate controllers/actions:
[ServiceFilter(typeof(CustomActionFilter))]
public class HomeController : Controller { ... }ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Answer: ctions. Global filters are best for cross-cutting concerns like logging, exception handling. Controller/action filters are best for behavior specific to particular routes or endpoints.
In a production ASP.NET Core application, teams apply this when handling user-facing features or integration boundaries. For example, you might use it during a sprint where reliability and observability matter—logging metrics, validating edge cases, and documenting the decision in an ADR so future developers understand why the approach was chosen.
Tip: Practice aloud on Toolliyo mock interview or the Interview Q&A section before your real interview.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
options.
actions.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Filters receive context objects (e.g., ActionExecutingContext) providing:
This allows filters to inspect, modify, or block processing at their stage.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
Filters can short-circuit by setting the result early, preventing further execution:
public void OnActionExecuting(ActionExecutingContext context)
{
if (!IsAuthorized())
{
context.Result = new UnauthorizedResult(); // stops pipeline
here
}
}
This prevents action execution and later filters from running.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
limited DI capabilities.
resolved from DI container, enabling constructor injection.
Use service-based filters when you need dependencies injected.
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
uthentication).
validation, caching).
MVC-specific exceptions and returning appropriate views or API responses.
Versioning, CORS
ASP.NET Core ASP.NET Core Tutorial · ASP.NET Core
authentication).
validation, caching).
MVC-specific exceptions and returning appropriate views or API responses.
Versioning, CORS