1

I'm creating a web application (C#, MVC3) and trying to figure out the best practice to log a user on. I'm sticking with the built-in FormsAuthentication framework and custom Membership provider to validate a user. But the problem is, there are many user information (first name, last name, user id, last login date, etc) I would like to save somewhere for easy access in my code.

First thought was to overload IIdentity and IPrincple but I was reading that they require a database hit every page load. Then I was thinking about cookies, but some posts were saying it is unwise to store sensitive information in them.

Any suggestions would be great.

tereško
  • 58,060
  • 25
  • 98
  • 150
Itakou
  • 39
  • 2
  • 2
    Why not use session for this? You can put a "Profile" object into session upon authentication. – e36M3 Aug 02 '11 at 19:05
  • I can't really figure out what is your problem ?! what are other information that you want to validate a user with ?! – Samir Adel Aug 02 '11 at 19:08
  • well after the user is validated, I was just curious where to store the basic user account information across every viewpage the user accesses. Is session data the only logical way? – Itakou Aug 02 '11 at 19:11
  • You can use session...if you move to a web farm or load balanced environment, you'll need to centralize your session server. I'd recommend using a Cookie (details below) or just fetch a fresh copy each time...if you're traffic is low, an additional DB hit for this info will likely be un-noticable. – ctorx Aug 02 '11 at 19:30
  • Useful Form Authentication thread http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication – Jeremy A. West Feb 17 '12 at 01:19

2 Answers2

2

You can still use FormsAuthentication. Sensitive user information can be stored in FormsAuthenticationTicket.UserData property. And it's safe - the authentication cookie is encrypted by FormsAuthenticationModule after FormsAuthenticationTicket serialization.

Tadas Šukys
  • 4,140
  • 4
  • 27
  • 32
1

I created a class called MiniUserModel in my app that has a few pieces of information I need, including User ID, Name, etc., but nothing super sensitive.

I serialize that instance to JSON, encrypt the JSON string, and write the value out to a Cookie.

This allows me to get access to the data easily on every page view without re-querying the database. Because my object is small, the cookie and resulting request footprint is not adversely affected. This does add "some" overhead for de-crypting and de-serializing on each request, however. (you could profile it to see if it is a problem...in my case it is not).

If you do this approach, it is important that you make sure to update the cookie value when a user changes their information.

ctorx
  • 6,841
  • 8
  • 39
  • 53