tags:

views:

161

answers:

4
+2  Q: 

Where to store user login information in asp.net

when I build asp.net applications that require user login, I write a method in my businees class that returns a Member object instance if the user is logged in, null if not. Then I do this: 

Session["User"] = user;

Then in every page load I have to implement this:

User user = Session["User"] as User;
if(null==user){
 //toggle the state of ascx, to show username/password boxes again,
 //Response.Redirect("somewhere else") etc...
}

This looks like its working, but is this a good approach? Because sometimes the Session does not return that object anymore. It happens before 20mins, which is default timeout for session. Is there any reson for that? It happens randomly, when I make several postbacks during testing.

Thanks in advance.

+3  A: 

You cannot use Viewstate - it's scope is the current page. Why don't you use Forms Authentication? It does all this for you, and more, including persisting of the user accounts in the database.

cdonner  2009-11-28 14:49:17
+3  A: 

You should use Form Authenticacion, without any doubt. Here are some links of interest:

eKek0  2009-11-28 14:54:26
+2  A: 

The best way to store user information in my experience is in the database. Microsoft makes this easy with the SqlMembershipProvider. It gives you a pre-defined schema, with best practices like storing the passwords hashed and with a salt (NOT IN CLEARTEXT!). It's a good start and is customizable. Cheers!

LWoodyiii  2009-11-28 14:54:49
A: 

If you're using the default InProc session state, it's only stored in RAM, so it can go away not only when the session times out, but also if the AppPool recycles, which can happen for a number of reasons (idle timeouts, once daily, excessive memory use, etc). In addition, session state is locked by each page, so if your app tries to do multiple accesses at once, you can run into issues.

How large is your User object? If it's not too huge, you might consider storing the data in a cookie, rather than in session state. Silverlight isolated storage is another option. Otherwise, you can keep it the DB and do your own cache management. That can be much more efficient than using the Session dictionary....

I should add that if you can use the built-in Membership provider, it does simplify some of this stuff, but I'm assuming you have your reasons for not going that route--it's definitely not a one-size-fits-all type solution.

RickNZ  2009-11-29 01:18:57

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps