For example: if I am retrieving User.Identity.Name, does it come from .ASPXAUTH cookie or is retrieved from the database using my membership provider?
Are any database requests made when I access User.Identity?
Thanks.
EDIT: Right now I am pretty sure it comes from an authentication ticket cookie, but can't find any official documentation to confirm this. Anyone?
.ASPXAUTH cookie / User.Identity comes from authentication (Windows, Forms).
If you are trying to get the user for Membership you need to use
Membership.GetUser()
or
Membership.GetUser(User.Identity.Name )
documentation here which would result in a DB call.
I believe the authentication information are specific to a session and maintained within the ASP.net process or outside or even SQL server. Once a user is authenticated a session token is generated, the token is used to track information of the authenticated user in the state service. On subsequent requests, the session token is used to retrieve user identity and thats where we get pre-populated objects like User.Identity.Name. this must be implmented either in Forms Authentication module or windows authentication module depending on the type of authentication one is using. If you set to cookieless authentication mode, the session token is displayed within the URL. Once the session expires, all the information pertaining to the session is removed from the state service.
Hope this makes it clear!
It depends on the type of Session you are using. Sessions can be varied by using two parameters 1. Use of Cookies-Cookieless, Or use cookie 2. Process to store the session state information -Inproc (in process), outproc (ASP.net state service), or Sql Server.
If you use Sql Server to store the state information, a data base query will certainly be made to fetch the session data. More details here-
This should answer your question...
"The forms authentication ticket not only includes the user's identity, but also contains information to help ensure the integrity and security of the token." Excerpted from the following Microsoft article:
http://www.asp.net/security/tutorials/forms-authentication-configuration-and-advanced-topics-vb
In addition to that explanation, observing ASP.NET behavior also supports the conclusion that the username is, in fact, stored in the ASPXAUTH cookie: ASP.NET does NOT hit the database on subsequent page requests after the user has been authenticated. You can prove this yourself, just as I did, by running SQL Profiler to monitor the database as it is used by an ASP.NET application.
Also know that username and authentication ticket data are NOT stored in session state. Aside from raising security concerns, that kind of implementation would cause ASP.NET Membership to break when session state is disabled. Here is another Stack Overflow answer indicating that Forms Authentication (Membership) data and Session State have nothing to do with one another:
That answer also links to an MSDN article, here, that explains the ASPXAUTH cookie in detail, though the article I referenced above seems to be more current.