Geek Answers Handbook

How to authenticate with ASP.Net MVC?

I have a site that has an area that requires authentication. Right now I am using the role attribute on all controllers in this area, and I am running a query to get this user ID and all my settings.

It seems to me that I like the code or design, that I get a user ID and settings every time the controller in this area boots up? I'm not sure if I should use sessions, or if ASP.Net MVC 2.0 provides a unique way to handle this. Another issue is security.

All in all, I really don't know which way to turn. Reasonable Design I would like the userId and settings to be retrieved only once when the user enters the area. Right now, I grab the userId every time the controller boots up, and then, if required, I query the database every time for their settings.

+6
authentication asp.net-mvc asp.net-mvc-2 personalization
source share
6 answers

One of the safety rules is that you should not try to do it yourself. There are many errors with proper authentication without leaving loopholes or backdoors. So in this regard, you can consider the SqlMembershipProvider that comes with .NET. It can be used with MVC and provides tools for getting roles and the current security context, is easy to configure and configure, and will be more secure than your own.

If you are not using SQL Server, you have several options. One solution would be to use something like SQL Server Express or SQL Server Compact Edition to support credentials. Another solution would be to simulate a SqlMembrershipProvider database schema, and then write a custom provider that associates with this schema.

The final choice is to write your own MembershipProvider class. Despite the fact that it still works on its own, it introduces you to the MembershipProvider structure, so you can change it to a later date for another (for example, ActiveDirectoryMembershipProvider) and provide a common interface for interacting with credentials and inputs, which, for example makes it easy to use the built-in Login control.

If you already use MemberhipProvider and ask about saving additional user data, I would suggest SqlProfileProvider with all the caveats I mentioned above about SqlMembershipProvider. ProfileProvider provides a structure for maintaining user data with the current registered user.

For more information:

+11
source share

You can also implement a custom identifier. They are very easy to implement, and they allow you to store any user information that you want in Identity, which is then stored in cookies that Identity sets, so you do not press DB every time to get this information.

Just create a new class that inherits from GenericIdentity and you'll be on the go.

Of course, you have to be careful how much information you put there, as it’s in a cookie, but usually the information related to the user, in the case you are talking about, is not so big here.

We use a user identifier to store several bits of user information, and this works very well.

+1
source share

You can save the object in a session that contains all the necessary user information. You just need to add the property in controllers, views or other base classes where you want to get the user information / profile. This will be authorization information, unlike any authentication information (for example, authentication using forms).

0
source share

You can try the Windows Identity Foundation. I used it in one of my projects for a while. This allows you to use β€œclaims-based authentication,” which basically means that you can assign β€œclaims”, lines of information that describe the user when they log in.

After logging in, user requests can be read from the HttpContext.Current.User field. You can also use Role statements that integrate easily with role-based authentication schemes; this means that you can provide the user with an application for the role of "manager", and then use "if (User.IsInRole (" manager ")).

As an added bonus, WIF makes it easy to reuse your login screen for other applications.

In general, it is very flexible, but the documentation is very poor. I asked and answered a series of questions about the "Windows Identity Foundation" in StackOverflow.

0
source share

We have done this quite a few times in the past. Like what Thomas is talking about, we typically created a new membership provider based on the Microsoft SQL Memberssip provider. We inherit the base class MembershipUser and add any custom properties that we would like to have on the user object. You must implement the database read for the GetUser implementation membership provider so that you can consolidate your additional properties that you need into this database.

If you use a SQL server, Microsoft will release 2.0 code for it. You can find out more on Scott Goole's blog.

http://weblogs.asp.net/scottgu/archive/2006/04/13/442772.aspx

If you want to start from scratch, they also have good resources on MSDN.

http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx

and

http://msdn.microsoft.com/en-us/library/6tc47t75.aspx

After you have implemented your provider, you can add the Membership user to the Items collection of the current web context to access it from your code. Unexpanded properties from the base user class are also available in the request stream, as usual.

With the release of version 2.0 of Microsoft source code, we found that it helped us fix some of the issues that exist regarding rethinking. Another thing to consider for your implementations is based on your scenario, you can bypass the implementation of some code. An example of this is the CreateUser code if you click on a back system that already has credentials.

0
source share

It sounds like you are relatively happy with the authentication process, but you want to explore other session / settings options.

My suggestion is only related to settings (roles, preferences, etc.)

In my opinion, sometimes moving the entire technology stack from the user interface to the business level to the DB level in DB is a bit overkill. For data that is unlikely to change during the session, this will add a lot of overhead ... There are potentially several data transformations (DB (Relational Format) β†’ ORM β†’ Web Services XML Serialization β†’ Web-Level Deserialization).

You might consider a session system that does not rely on the heavy RDBMS system or on the ASP.NET caching / session model. There are options that are very effective and scale well.

You can use RavenDB from Ayende Rahien (Built for.NET). Its main goal is to provide low latent and high-performance access to JSON documents without a schema.

Using this solution, you must configure ravenDB at the web level so that data access is very fast. The first time you authenticate and retrieve the settings, you must save the user ID and settings information in this session. Each time you load the controller after this, the configuration data is available without the need to return to the RDBMS. This database can also be used to cache other Internet-related data.

In terms of security , configuration data is passed to the web tier regardless of the method you use. This solution will not be more or less secure than other options (more secure than unencrypted cookies). If you need to, you can encrypt session data, but this will increase your overhead again.

Another one of millions of options.

Luck,

Let us know what you decide!

Patrick.

0
source share

More articles:


All Articles