Geek Answers Handbook

What is PostAuthenticateRequest overhead?

I implement a custom ticket system using the Application_PostAuthenticateRequest method in my global.asax file (ASP.NET MVC). I am wondering what overhead is for this kind of thing - since it will deserialize some information on each request. It generates cookies of about 1.8 kb, which is a ton, but is a better alternative than frequent trips with databases?

Information is deserialized

  • User id (int)
  • Roles (string [])
  • Email (string)
  • Related identifiers (int []) // (it’s hard to describe what it is, but each user will have about 3 of them)

It seemed wiser to implement the FormsAuthenticationTicket user system than constantly making circular trips to the database based on User.Identity.Name . But I'm just worried that this constant deserialization is very slow. But it looks something like this ...

  protected void Application_PostAuthenticateRequest(object sender, EventArgs e) { HttpCookie authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName]; if (authCookie != null) { string encTicket = authCookie.Value; if (!String.IsNullOrEmpty(encTicket)) { // decrypt the ticket if possible. FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(encTicket); var userData = Deserializer.Deserialize(ticket); UserPrincipal principal = new UserPrincipal(userData); HttpContext.Current.User = principal; } } }

Here the class is serialized as UserData in FormsAuthenticationTicket .

 [Serializable] public class MembershipData { public string Email { get; set; } public int Id { get; set; } public string[] Roles { get; set; } public int[] Ancillary { get; set; } }
+7
source share
2 answers

I would recommend you measure performance, but I would expect a cookie approach to be faster than doing database callbacks. You can also simplify serialization and make it as fast as possible with a comma delimiter or some special character delimited string. Here's how I would rate the various operations in terms of performance:

  • in the process of communication
  • interaction between processes
  • interworking
+2
source

I know that this question is a bit outdated at the moment and already has an accepted answer, but I would like to talk about my thoughts and how we are now doing something with a similar setting.

Initially, we went through the same process as you and included a fair bit of user data in the cookie. This process shortened our trips through the databases, but in the end we got into an error when some users could not log in at all, while others could. It turns out that cookies were silently deleted when they moved to a certain size due to our serialized data.

Our current process is a two-tier caching system. We store the user database identifier in a cookie as User.Identity.Name , and then in PostAuthenticateRequest, we try to get user information from the local ASP.net cache, returning to the distributed Redis cache. The local cache is in proc and is stored for 15 seconds (therefore, for repeated requests, it is not necessary to go through the wire to Redis). The Redis cache is kept for a day and is not valid during the upgrade. If both of them are skipped, we then load the information from SQL Server.

Then we delete this user information in the user IPrincipal, and everything works like a charm. This seems to work very well for us on a site with a fairly high level of usage.

+8
source

More articles:


All Articles