2

I'm start building a web application where the user needs to authenticate in order to get access to different modules.

I have been working with ASP.NET MVC in the past and it was quite easy using FormsAuthentication and Server Sessions so I don't have to do roundtrips to the database in order to get the user roles or any other user related data everytime I access a web method.

What I have been reading, AngularJS won't work that way so there won't be any Server Session, etc.. So...

  1. In case I need to verify user identity every time I access a web method do I need to consume database or there is any good practice that I can learn of?

  2. I know there are ways to store state data in client side but how that can affect the performance of a web application?

  3. I have seen that when a user login to an application the best way is to send a Token to the client and then force AngularJS to send that Token everytime a web method is accessed... but what about sending to the client the user sessionId (from database) and then on every web method consumption sending that and then create a filter where you check that the sessionId exists in the database so the user identify is validated?

Appreciate any advice or recommendations.

Thanks.

VAAA
  • 14,531
  • 28
  • 130
  • 253
  • This is more of a question of how you secure your REST API (server side assets). Angular doesn't preclude you from using cookies and sessions for authentication. – pherris Mar 08 '14 at 01:14
  • 1
    Angular is agnostic with regards to authentication, you can use the same methods you're used to using. – Jason Goemaat Mar 08 '14 at 01:52

1 Answers1

1

My take on authentication is that you do not need to bring AngularJS into picture till the user is authenticated. You use simple login page and authenticate user and then redirect him to your app page that has Angularjs. Look at my old answer for more details How to handle authentication in Angular JS application

Let me try to address your concerns.

In case I need to verify user identity every time I access a web method do I need to consume database or there is any good practice that I can learn of?

Once you have been authenticated that part is taken care by server and browser cookies, you don't need to do anything. How standard MVC site works.

I know there are ways to store state data in client side but how that can affect the performance of a web application?

Since AngularJS is a SPA, there is no page refresh. Data stored at $rootScope or using service are there till one refreshes the page. Performance would be better as there are less round trips involved.

I have seen that when a user login to an application the best way is to send a Token to the client and then force AngularJS to send that Token everytime a web method is accessed... but what about sending to the client the user sessionId (from database) and then on every web method consumption sending that and then create a filter where you check that the sessionId exists in the database so the user identify is validated?

This is standard form authentication, and transparent to developer, whatever was required to be done in traditional MVC app for authentication would work here. You don't have to worry about sessionids, tokens etc. To get users identity on the client, you can write a angularjs service with methods such as getUser to get the current logged in user. But i warn you that the authorization related decision should still be done on server.

Community
  • 1
  • 1
Chandermani
  • 42,589
  • 12
  • 85
  • 88