Why should you care?

Account pages, checkout, and admin must know who is visiting. Login is the front door.

See it live — copy this example

Create an MVC project (dotnet new mvc), add the code, and run dotnet run.

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(LoginViewModel model)
{
    if (!ModelState.IsValid) return View(model);
    var result = await _signInManager.PasswordSignInAsync(
        model.Email, model.Password, model.RememberMe, lockoutOnFailure: false);
    if (!result.Succeeded) { ModelState.AddModelError("", "Invalid login."); return View(model); }
    return RedirectToAction("Index", "Home");
}

Run Example »

Edit the code and click Run — like W3Schools Try it Yourself.

What happened?

• SignInManager comes from Identity.
• PasswordSignInAsync checks hashed password.
• Success redirects home; failure shows error without revealing which field was wrong.

Try it yourself

1. Scaffold Identity or add packages per Microsoft docs.
2. Create Login view with email, password, Remember me.
3. Register a user, log in, confirm cookie in browser dev tools.
4. Change text or labels in the example and run again — watch the browser update.
5. Break the code on purpose (remove a semicolon), read the error message, then fix it.

Remember

Identity + SignInManager + LoginViewModel. POST + anti-forgery on login form. Redirect after success.