locked
Keeping user's Information in Custom membership & role provider RRS feed

  • Question

  • User1534988959 posted

    I am using to Implement Custom membership provider and role provider for authinticating purpose in Asp.net MVC 4.I followed this blog

    http://www.mattwrock.com/post/2009/10/14/Implementing-custom-Membership-Provider-and-Role-Provider-for-Authinticating-ASPNET-MVC-Applications.aspx

    I need to keep username,userid,user_role & some other information and to check them on each click and page.Some users may have read/write role while other have read only etc etc.

    This app is very big app and very sensitive. Now i have these questions.

    What is the best to keep these information with me & then check/compare them.

    1. Keep in session and check everywhere?
    2. Keep in cookie and check everywhere?
    3. Do not need to save,on page load get from db and decide on that time?

    Is there any other whay to do so?

    Also In MVC where do i need to have this check,either this user is authinticated to read this apage/section ot not?

    Please answere all my questions and keep security measures in all.

    Sunday, April 20, 2014 2:00 AM

Answers

  • User1140095199 posted

    Hi,

    Please answere all my questions and keep security measures in all.

    Keep in session and check everywhere?

    Session should be the right choice for you. Cookie ofcourse is not the safest way and can be turned off. Querying the database each time will make youe app respond slow.

    Also In MVC where do i need to have this check,either this user is authinticated to read this apage/section ot not?

    Well most of the above information can be implementated using Authorise on the Controllers.

            [Authorize(Roles = "Admin")]
            [Authorize(Users="sam")]
            public ActionResult About()
            {
                ViewBag.Message = "Your app description page.";
    
                return View();
            }

    Well, if you use as above you can restrict call to each View call with a more granular approach.

    [Authorize(Roles = "Admin")]
            [HttpPost]
            [ValidateAntiForgeryToken]
            public ActionResult Create(StudentPersonalInfo studentpersonalinfo)
            {
                if (ModelState.IsValid)
                {
                    db.StudentPersonalInfos.Add(studentpersonalinfo);
                    db.SaveChanges();
                    return RedirectToAction("Index");
                }
    
                return View(studentpersonalinfo);
            }

    In the above example I have restricted the Create so only Admin can create new students. This way you can implement granular restriction. If the Authorise attribute is used efficiently you won't need to get the User credentials and verify in each page.

    There may be case when you might need to customize the Authorize attribute for custom behavior. That can also be done by inheriting and overriding it.

    For more reference:

    Custom Authentication and Authorization in ASP.NET MVC - http://www.dotnet-tricks.com/Tutorial/mvc/G54G220114-Custom-Authentication-and-Authorization-in-ASP.NET-MVC.html

    Hope it helps!

    Best Regards!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 21, 2014 1:38 AM