views:

59

answers:

0

Hi guys, I am developing an ASP.Net MVC 2 application as a composite application in SalesForce.com. For those not familiar with SalesForce.com it is a CRM platform on the internet. What the composite application is it simply is shown inside an iframe in a separate tab. So when the user logs in to salesforce.com that user sees a bunch of tabs. My application is available when the user clicks on my application's tab. Then SalesForce.com passes in the url to my app salesforce's session id which I can use to access salesforce data without requiring the user to log in. I have probably lost a lot of users who would just say: "hey this is salesforce.com specific question ask them". Well it is not salesforce specific I think.

Ok to carry on, people advice that ASP.Net MVC 2 authentication should be persisted in a cookie on the user's client machine. So basically I persist the user's id in a cookie then if I need information about the user I just retrieve that. In my case I see two problems: 1. I do use the client's information quite often so I do not want to query salesforce.com every time for that. Is it a good idea to serialize and encrypt user's information in a cookie? Also users information is an object with two object properties: one containing a bunch of primitives and enums to describe the salesforce user and another one that contains a bunch of primitives and enums to describe the user in my local app. 2. My app runs from within an iframe and as far as I know there will be problems storing a cookie on the user's machine. I am not sure if that is true. Also when a user logs out of salesforce my cookie should be invalidated/deleted from the user's machine.

What I am doing right now is I am storing all users information in the session and without cookies involved. I just cannot figure out why would that be a bad idea. I mean I have read information about session hijacking and session expiration.

But in terms of session hijacking if I encrypt and store user's id in a cookie and keep the user's object in cache and somebody steals the session that somebody gets the cache too and takes the user's object right?

In terms of session expiration there must be a way to take care of that I am not sure exactly how it is done but I know that it could be done in ASP.Net. Persist in SQL server probably.

Any help on figuring what the best practice about authentication in ASP.net MVC 2 in the current context (remember my app is an iframe) would be very much appreciated.

Regards, Kos