-1

I have a C# based asp.net application which does a form based authentication and also needs authorization.

Here is the simplified version of the User table (SQL Server)

UID   UName PasswordHash Userroles
----------------------------------------------
1      a    GERGERGEGER   Proivder;Data Entry
2      b    WERGTWETWTW   HelpDSK; UserNamager
...
...

I'm quite familiar with the Authentication part. But for Authorization I am not sure what is the best way:

I know once user is Authorized, you can use the Identity object to get his/her info.

The question is what my choice to read the logged in user's roles on every page other than call that DB table every time to get them?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
S Nash
  • 2,363
  • 3
  • 34
  • 64
  • I have edited your title. Please see, "[Should questions include “tags” in their titles?](http://meta.stackexchange.com/questions/19190/)", where the consensus is "no, they should not". – John Saunders Mar 31 '15 at 18:38

1 Answers1

-1

I am not sure this is a SQL Server question. This is an ASP.NET question.

ASP.NET forms authentication allows the application to define a "Principal" which (among other things) contains an array of strings known as "roles." You can populate the roles from the DB one time (when the user signs on) then serialize the principal into the forms authentication ticket, which becomes an encrypted cookie on the browser. ASP.NET decodes the cookie with each http request and provides it to your ASP.NET c# code via HttpContext.User. It can then retrieve the roles from context and never needs to talk to the DB again.

Storing the roles would look something like this:

string roles = "Admin,Member";
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(
    1,
    userId,  //user id
    DateTime.Now,
    DateTime.Now.AddMinutes(20),  // expiry
    false,  //do not remember
    roles, 
    "/");
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
                                   FormsAuthentication.Encrypt(authTicket));
Response.Cookies.Add(cookie);
Community
  • 1
  • 1
John Wu
  • 50,556
  • 8
  • 44
  • 80
  • You can populate the roles from the DB one time . How? Assume i got the roles from the DB . how to populate this principal? and how to serialize this to authentication ticket? – S Nash Apr 01 '15 at 13:10
  • That is too broad a topic. You need to understand forms authentication to begin with, and there are several steps to coding it and configuring. I suggest you start [here](https://msdn.microsoft.com/en-us/library/ff649204.aspx) and return to StackOverflow when you have a specific question. – John Wu Apr 01 '15 at 14:11
  • I am well familiar with Authentication. I you notice my question is about Authorization not authentication. – S Nash Apr 03 '15 at 16:04
  • Your question pertains to role based authorization, and I have provided a solution for providing the roles in a secure manner to code running in the web context. Not sure what else you need. – John Wu Apr 03 '15 at 19:13