Form authentication & Custom Principal implementation

L

lucd

Hello,


I am currently playing with form authentication & role based
security on a web application.

As seen in the starter kit Time tracker, I setup a custom identity
class (CustomPrincipal) because i wanted some extra info about the
current user,
i need this extra information to be available in pages without having
to query the database at each page request.

I followed the above samples, and setup the following:

I created a CustomPrincipal class with extra properties (code
shortened for readability)


Public Class CustomPrincipal
Implements IPrincipal
...
Public Sub New(ByVal identity As IIdentity, ByVal
Roles() As String)
Public ReadOnly Property Identity() As IIdentity
Implements IPrincipal.Identity
Public Property Name() As String
Public Property Roles() As String()
Public Property UserID() As Integer
Public Property FullName() As String
...
End Class
When the user authenticate through the login form,
i save the authentication cookie, where i included some extra user
info with the roles in the "userdata" field (string delimited)

I can then get this userdata information back in the global.asax
Application_AuthenticateRequest event,

[code:1:6c073b2f24]Dim authTicket As FormsAuthenticationTicket =
FormsAuthentication.Decrypt(authCookie.Value)
Dim UserInformation As String() =
authTicket.userData.Split(";")
Dim roles As String() =
UserInformation(0).Split("|")
Dim id As FormsIdentity = new FormsIdentity(authTicket )
[/code:1:6c073b2f24]

create a CustomPrincipal and assign it to the to the current request

[code:1:6c073b2f24]Dim myPrincipal As New CustomPrincipal (id,
roles)
myPrincipal.UserID =
Ctype(UserInformation(1),integer)
myPrincipal.FullName =
Ctype(UserInformation(2),String)
myPrincipal.ParentCompany =
Ctype(UserInformation(3),Integer)
...
Context.User = myPrincipal[/code:1:6c073b2f24]

It is working very well, but by doing so, all information is stored in
the authcookie... where the size is very limited...

My question is what about the following
approach:

I would like to use a UserInfo class

[code:1:6c073b2f24]Public Class UserInfo

Public UserID As Integer = 0
Public UserLevel As Integer = 0
Public Firstname As String = ""
Public Lastname As String = ""
Public Email As String = ""
Public ParentCompany As Integer = 0
.... and many other properties

End Class[/code:1:6c073b2f24]


Build my CustomPrincipal with it

[code:1:6c073b2f24]Public Class CustomPrincipal
Implements IPrincipal


Protected _Identity As IIdentity
....

Public Sub New(ByVal identity As IIdentity, ByVal
Roles() As String)
_Identity = identity
_arUserRoles = Roles
End Sub

Public ReadOnly Property Identity() As IIdentity Implements
IPrincipal.Identity
Get
Return _Identity
End Get
End Property

Public ReadOnly Property IdentityInfo As UserInfo
Get
Return User.GetInfo(Me.Identity.Name)
End Get
End Property

End Class


Class User

Public shared Function GetInfo(byVal username as string) As
UserInfo

Dim _UserInfo As userInfo

If Session("UserInfo") Is Nothing Then

' build objUserInfo from database
' save the objUserInfo
in Session

Session("UserInfo") = objUserInfo


Else
_UserInfo =
Ctype(Session("UserInfo"),UserInfo)
End If

Return _UserInfo

End Function

End Class[/code:1:6c073b2f24]

So i could store many more information than in the cookie and access
it in all pages through my CustomPrincipal.IdentityInfo


[b:6c073b2f24]What would be the pros & cons of
doing this way ?
Why are all samples relying only on the authentication cookie and not
on session variables to store the identity userdata
?[/b:6c073b2f24]

many many thanks,

Luc

ps: still at the beginning of learning asp.net, so please forgive
errors ;-)

*-----------------------*
Posted at:
www.GroupSrv.com
*-----------------------*
 
J

John Saunders

lucd said:
Hello,

....
So i could store many more information than in the cookie and access
it in all pages through my CustomPrincipal.IdentityInfo


[b:6c073b2f24]What would be the pros & cons of
doing this way ?
Why are all samples relying only on the authentication cookie and not
on session variables to store the identity userdata
?[/b:6c073b2f24]

I suppose that I'd use your technique if I had a lot of information about
the user to store. If it was frequently accessed, and faster to access from
Session than from the database or from Cache, then sure, session works.

But, just how much information about a user do you want to carry around to
every single page? What percentage of that information is used on a typical
page? If most pages use only 20% of the information, then perhaps that 20%
should stay in the IPrincipal, and the rest should be in Session state. This
isn't a big deal, just a separation of responsibilities. If 80% of that data
isn't being used most of the time, then most of your pages shouldn't care if
you change the way that data is represented.

John Saunders
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top