Solved

Caching question - anyone cache/cookie roles in .net web app?  HttpContext etc?

Posted on 2013-05-25
7
212 Views
Last Modified: 2013-06-13
Hello all,

I have an MVC application and in the app I have a custom AuthorizeAttribute.   In this method that gets called a good amount I run a query to check if the logged on user User.Identity.Name is in a SQL table.  That is the first check then if that is valid I think check if a role exists in a SQL role table and pass back simply a true boolean else false.

Is there a way to cache this like in the HttpContext somewhere?  So even though the method will always get called to check the role I can first check if the roles are in cache or a cookie etc. instead of making the database call again.   The same for the first check if the user is a valid user.  I tried like setting the HttpContext user IsAuthenticated property but that is not allowed.  I think there is a way to set the IPrincipal or something.   The idea is I don't want to use the role and membership provider I want to cache these somehow or put them in the right cookie similar but not have to stub out all the interface methods with Not implemented etc.
0
Comment
Question by:sbornstein2
  • 3
  • 3
7 Comments
 
LVL 18

Expert Comment

by:Gary Davis
ID: 39197727
Caching can help reduce hits to Sql Server dramatically for the case you describe and many others. Use the Asp.Net Cache object to save the user's information. Prior to accessing Sql, retrieve the cache's info and if null, call Sql to get it and then stick the response fields into cache for next time. The cache key is important - it should identify the parameters passed to Sql such as the UserID.

The cache object should be set to expire in a few minutes with a sliding expiration which will keep it in cache as long as the user keeps requesting it (every page, probably). If the user changes his password, you should expire or update the cache object.

Possible useful: http://forums.asp.net/t/1004454.aspx

Gary Davis
0
 
LVL 16

Expert Comment

by:Stephan
ID: 39199638
If you use formsauthentication you can set userdata in the formsauthenticationticket
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx

This userdata object is of type string.

Another way I mostly use is HttpContext.Current.Items and add a item to this collection on each request (so you can access it multiple times in the same request/context).

You can also cache the user object in the HttpContext.Current.Cache to prevent more round trips to the database.
http://msdn.microsoft.com/en-us/library/system.web.caching.cache.aspx
Make sure that the cache objects are identified with a key you can recreate like "GetUserById_1"
0
 

Author Comment

by:sbornstein2
ID: 39200036
I am using Windows Auth then I take the User.Identity.Name and query sql server to validate if the user is valid in a table called User then I enumerate through a Role table in SQL server.   I am not sure exactly best place to store first the user was validated and then second the roles.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:Stephan
ID: 39200348
So if I understand this correctly, you are using identity impersonation and not through NTLM?

So the user is automaticly authenticated if it is inside the domain? and there is no login screen for the user?

If you are using a login screen (for example; NTLM), you can get the roles once and set them in the authenticationtoken and retrieve them without calling the sql database.
0
 

Author Comment

by:sbornstein2
ID: 39201157
Correct Stephan.   IIS has anonymous disabled and windows auth enabled.   I don't want to lock down only certain users to the server or via AD etc.   So anyone can hit the site but the SQL User table is where I am going to validate if the user has access to the site.  I store the user domain username in that table.  So I think compare the User.Identity.Name against that table to validate the user is valid or not.   Then I store roles in a Roles table.   Two things I am looking at now is the CustomIdentity and CustomPrincipal as I was hoping to leverage maybe the IsAuthenticated but of course the User context this is always set to true and I can't change it.    I am also wondering if I should look into using claims but that seems overkill only because I have a total of 40 users and it is all inside the firewall Intranet based only.
0
 
LVL 16

Accepted Solution

by:
Stephan earned 500 total points
ID: 39201177
Well, that the user is authenticated because he is identified as a user is true. So that should be ok. What you can do is working only with roles. That a user should have "User" as role for all pages.

You can setup a custom roleprovider:
http://msdn.microsoft.com/en-us/library/317sza4k(v=vs.90).aspx

What you can do also is getting the roles of the user (if it exists) and set them into a cookie (make sure it is encrypted so they cannot change it).

then use that cookie to implement the custom roleprovider
0
 

Author Closing Comment

by:sbornstein2
ID: 39244755
thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Introduction This article shows how to use the open source plupload control to upload multiple images. The images are resized on the client side before uploading and the upload is done in chunks. Background I had to provide a way for user…
Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now