is the HTTPCONTEXT.current.user content encrypted with session state??

[Kevin Yu]

hi all


I use a custom windows principal to the httpcontext.current.user in a
windows authenitcation asp.net app. There are other objects added to the
principal. during the
WindowsAuthentication_OnAuthenticate() call, the principal will be load
rights for the current user alone with the roles. now I wonder if the USER
object be encrypted and send to the client?

what I my concern is when the roles and rights become large, it will effect
the performance.

 

[Scott Allen]

Session state is not sent to the client - only a cookie is sent to the client
with a session identifier. The server can examine the ID in the cookie and
look up the session state when a request arrives.

 

[Kevin Yu]

HTTPCONTEXT is not part of the session state. I mean the _viewstate that is
hidden in the html to the client.

 

[David Jessee]

When you use Windows Authentication, there is no user information persisted
within the viewstate.

 

[Scott Allen]

I apologize - I don't know why I thought you were talking about session state,
but as David points out - there is no user information in viewstate with
windows auth. Google for "viewstate decoder" and you can find a little utility
to poke through the contents of the viewstate.

 

[Kevin Yu]

sorry, I mean the viewstate, of course the session state will not be
transfered to the client.
but is httpcontext.current.user content in the _VIEWSTATE string in the
html??