tags:

views:

52

answers:

1
Q: 

ASP.NET MVC built-in membership vs session

Hi,

Just spent the last 3 days exploring membership, iprincipal, identity and other goodies..but something is still not clear. Why it is better to use that incited of simply store a minimize logged in user object in session? it can hold roles, permissions and other custom properties.

to achieve the same thing the asp.net form auth way i would do:

protected void Application_AuthenticateRequest() 
{ 
    HttpCookie cookie = Request.Cookies.Get(FormsAuthentication.FormsCookieName); 
    if (cookie == null) 
        return; 
    bool isPersistent; 
    int webuserid = GetUserId(cookie, out isPersistent); 

    //Lets see if the user exists 
    var webUserRepository = Kernel.Get<IWebUserRepository>(); 

    try 
    { 
        WebUser current = webUserRepository.GetById(webuserid); 

        //Refresh the cookie 
        var formsAuth = Kernel.Get<IFormsAuthService>(); 

        Response.Cookies.Add(formsAuth.GetAuthCookie(current, isPersistent)); 
        Context.User = current; 
    } 
    catch (Exception ex) 
    { 
        //TODO: Logging 
        RemoveAuthCookieAndRedirectToDefaultPage(); 
    } 
} 

private int GetUserId(HttpCookie cookie, out bool isPersistent) 
{ 
    try 
    { 
        FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value); 
        isPersistent = ticket.IsPersistent; 
        return int.Parse(ticket.UserData); 
    } 
    catch (Exception ex) 
    { 
        //TODO: Logging 

        RemoveAuthCookieAndRedirectToDefaultPage(); 
        isPersistent = false; 
        return -1; 
    } 
}

So i'll need to query the DB on each authenticated request, when in using session i'll do it only once when the user logs in, i know you can store the roles and other user data in the ticket cookie but i don't think its secure since an attacker can modify the cookie content, move it and more..

so, any one else agrees?

+1  A: 

The default InProc Session state is not durable and will "disappear" whenever your App Pool recycles.

The SqlStore session is durable but then you have an additional load on your db server.

Cookies are the best choice for websites at the moment and that probably won't change for a long time. Cookies are relatively secure and as long as you encrypt cookie content, which .net does by default, you should be ok.

Note: There is a big security flaw in .Net regarding its default encryption methods so when I say secure I mean was secure and probably will be again.

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

jfar  2010-09-25 23:17:20
Worth pointing out there are alternatives to the above too, if you're happy to stray off the beaten path a little. Mongo/Memcached can be good out of proc stores for this kind of thing.
Nik  2010-09-25 23:55:22
Thanks, but consider the scenario above, does it make sense to keep hitting the DB in every request to get the user obj and assign it to the context?
TomerMiz  2010-09-26 07:25:49
Hi, can anyone respond?
TomerMiz  2010-09-26 21:12:55
@TomerMiz - "does it make sense to keep hitting the DB in every request to get the user obj and assign it to the context" This is totally dependent on 1. How much time you have to develop. 2. What your expected traffic is. 3. How much $$$ do you have for hardware. 4. Benchmarks and testing to determine your load levels. As far as I can tell you haven't even begun developing anything yet. Wait until you get some traffic and see what makes sense performance wise.
jfar  2010-09-27 00:40:34

related questions

Store user id in Principal or Identity? ASP.Net/OpenID.
Converting Single DB ASP.NET Site into MultiTenant - Membership and Roles Dilema
customize asp.net membership by changing "userid" type to integer
ASP Membership cannot handle encrypted connection strings in web.config
what is the best way to make some pages in asp.net require login?
Looking for a Yahoo Groups (CMS) replacement
Why should I Use ASP.NET Membership security model?
ASP.NET: Does implementing a custom MembershipProvider class needs you to implement a custom Membership class too?
How to set the Principal in an ASP.Net app
How can you test if an ASP.NET membership password will meet configured complexity requirements?
ExpressionEngine Multiple Site Manager and Member Groups
Locking out a user in an ASP .Net Custom Membership Provider
ASP.NET Application to authenticate to Active Directory or SQL via Windows Authentication or Forms Authentication
Not using e-mail address in a custom MembershipProvider?
How to get current user in Asp.Net MVC
programmatic login with .net membership provider
ASP.NET Forms Authentication With Only UserName
Unit test Custom membership provider with NUnit throws null reference error
How to access UserId in ASP.NET Membership without using Membership.GetUser() ?
How can I wire users with their respective folders in ASP.NET?
Grabbing Users with a specific value in their profile
How do you pass an authenticaticated session between app domains
What's the best way to authenticate over WCF?
Memcached chunk limit
ASP.NET Site Maps