right way to have role based custom auth query database on every request asp.net mvc
U

2

3

This may be a slightly ignorant question but Im new to mvc so Im sorry!

I studied the nerd dinner auth model but In my app I have a complicated role based authentication. So What I do is this:

 void MvcApplication_PostAuthenticateRequest(object sender, EventArgs e)
        {
            HttpCookie authCookie = HttpContext.Current.Request
               .Cookies[FormsAuthentication.FormsCookieName];
            if (authCookie != null)
            {
                string encTicket = authCookie.Value;
                if (!String.IsNullOrEmpty(encTicket))
                {
                    FormsAuthenticationTicket ticket = 
                            FormsAuthentication.Decrypt(encTicket);
                    CustomIdentity id = new CustomIdentity(ticket.Name);
                    GenericPrincipal prin = new GenericPrincipal(id, id.Roles);
                    HttpContext.Current.User = prin;
                }
            }
        }

On LogOn I authentication the username/pass with FormsAuth and then I create the cookie.

The problem here is every time I create the custom identity, I have to query the database for the users roles. Is there a correct way around this or am I doing the right thing to query the DB on every incoming request? Should I save the roles list in a cookie or something?

I also don't really understand the whole life cycle of how forms auth takes care of the authentication? I use the same IFormsAuthentication design pattern that nerd dinner users and during a sign-in I call FormsAuth.SignIn() which in turn calls FormsAuthentication.SetAuthCookie, When does it manage to call the membershipservice.validateuser() method ?? Also if the auth cookie has been set why would nerd dinner create a ticket, then add it into the request, and then read it during PostAuthenticationRequest to check which user it was. Does the ticket operation like a session?

Thanks! Merry Christmas!


Update : This link gave me a slightly better understanding about forms authentication ticket.

Unbelt answered 25/12, 2010 at 19:0 Comment(0)
B
2

An alternative approach is to store your user's roles in the authentication ticket when your user is authenticated. Then for every request (Application_AuthenticateRequest method of the global.asax file) you can extract the roles from the authentication ticket and create a GenericPrincipal.

See this answer for more details.

Bobwhite answered 26/12, 2010 at 12:8 Comment(1)
+1 Very cool. That is definitely more efficient, but like someone commented on your answer, if you store the roles in a cookie and they change in the Database. I dont want to give my users the opportunity to remember their login. (Its a high security app) so then if the expiry is 10 mins, it will definately expire sometime right? If not in 10 mins?Unbelt
U
3

"Correct?" Its a matter of opinion.

I'd say, if you aren't experiencing issues with the database performance caused by this query, then don't worry about it.

If you are, you can centralize your authentication code into some sort of auth provider or type, and cache authentication information in memory until a write updates the database, which should invalidate the cache at the same time.

(Your second question would do well on its own; I don't have enough info to answer it.)

Univalve answered 25/12, 2010 at 19:40 Comment(1)
+! Thanks! No no perf problems at all, coming from web forms and more windows dev I just thought I was doing something terribly wrong/in efficient! (Also Im usually self-critical! =P)Unbelt
B
2

An alternative approach is to store your user's roles in the authentication ticket when your user is authenticated. Then for every request (Application_AuthenticateRequest method of the global.asax file) you can extract the roles from the authentication ticket and create a GenericPrincipal.

See this answer for more details.

Bobwhite answered 26/12, 2010 at 12:8 Comment(1)
+1 Very cool. That is definitely more efficient, but like someone commented on your answer, if you store the roles in a cookie and they change in the Database. I dont want to give my users the opportunity to remember their login. (Its a high security app) so then if the expiry is 10 mins, it will definately expire sometime right? If not in 10 mins?Unbelt

© 2022 - 2024 — McMap. All rights reserved.