asp.net mvc session and membership authentication

views:

answers:

asp.net mvc session and membership authentication

Hi All, New to MVC, worked a lot with asp.net but never used the built in membership , authentication, authorization stuff before.

I have 2 questions:

In the asp.net days i would store the logged in user details (username, first & last name, email) in a session (using a custom class) and just checked that the session["UserDetails"] !=null in each secure page, can i still do that in MVC? (why i'm not doing it with the built in stuff? - move question #2)
In my DB i've got a Authors table (with user & pass) which is connected to 20 other tables andi've got a users table (with user & pass) that connects to 1 or 2 tables. Say i want to use the built in stuff how can i use to validate the author login and the users login with the same membership provider? and how will i know which is currently logged in the user or the author when calling User.Identity.IsAuthenticated?

Thanks everyone!

Question 1:

In your controllers you would be using HttpContext.User to get the current IPrincipal for the user making the request. To secure an action (or an entire controller) just decorate it with the [Authorize] attribute. Read about the authorize attribute here http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx

Question 2:

Here you have two options, extend the profile provider to manage that extra data or loose a bit of referential integrity and just use the app services db for authorization and keep and have an UserId field in each entity related to a user and build your user and related entities collection in the your data access layer. I always use the 2nd one.

JoseMarmolejos 2010-09-22 16:21:59

Hi, thanks, but can you elaborate more on option 2 "loose a bit of referential integrity and just use the app services db"

TomerMiz 2010-09-22 18:43:09

Sure, ideally you'd have a single db so you can have make all the necessary relations with the users table. Going with the 2nd approach would mean that will have 2 databases, one for the users and one for the app's data so there will be no relationships in the schema between users and their related entities.

JoseMarmolejos 2010-09-23 00:20:11

Hi, so going with the 2nd approach,i will have to hold the type of user (customr,author..) in the users DB? but why 2 databases? i could just have a users tables and foreign keys from users to customer and author tables. don't you think?

TomerMiz 2010-09-23 07:04:06

For the sake of keeping thing clean and separated I like to use another database for the .net membership provider. I've read that you can do it with one db, but that's too messy for my taste ... then again, I'm kinda picky.

JoseMarmolejos 2010-09-23 16:37:21

you were not supposed to do that in regular asp.net. What you were supposed to was use forms authentication to emit a signed ticket, which in 2.0+ could have been with the membership provider. The earlier is pretty much flexible, so before reading #2 there was already no reason not to use it ;). But yes, you could still do that, and no there is no other different suggested way of handling it in asp.net MVC.
you can either put the extra data in the ticket or use a convention appending something to the username in the ticket, and then when receiving a cookie you can replace the context's IPrincipal with a custom principal.

eglasius 2010-09-22 17:06:08

Hi, Thanks, you mean like save the username in a cookie as "autor_RealUserName" just to identify it as an author?

TomerMiz 2010-09-22 18:50:26

yes, but I mean specifically in the forms authentication cookie, not a custom cookie you create. More information about forms authentication in this link: http://msdn.microsoft.com/en-us/library/ff647070.aspx.

eglasius 2010-09-22 19:31:02

ansaurus

tags:

views:

answers:

asp.net mvc session and membership authentication

related questions