asp.net webservice user management across pages

Question

I'm developing a site that will display confidential readonly information, with data fetched from a WCF service.

My question: What is the best approach to user management across different information pages.

The service returns a collection with customer info after a secure login. My idea is to have a Customer object class that is stored in session.

Is it possible to use things like HttpContext.Current.User.Identity.IsAuthenticated followed by HttpContext.Current.Session["UserId"] without using a database with role-based security?

Would I be better off with a combination of local database, Linq to SQL or datasets rather than using just class objects for data fetched from service?

thanks, nakori

Answer 1

You don't need a local database - but best practice is to have the user authenticate. The two options are via a database and or via AD if this is an internal site.

You might as well create a new WCF service to perform the authentication since you've already got your database functionality separate. This will also let you access databases that aren't local.

Answer 2

If you have no need of tracking the user's identity within your application, just use session as you indicated.

But the HttpContext.Current.User.Identity.IsAuthenticated and such relies on the user having authenticated with your site in some way or another (or it will always come back as false). Authenticating with the web site doesn't necessarily need a database though. You can setup users directly in web.config, xml files, or use AD or some other authentication mechanism that doesn't use a traditional database.

But unless you need to authenticate the users, you can probably do what you want using the server's session object and/or cookies.