Link to home
Start Free TrialLog in
Avatar of sbornstein2
sbornstein2

asked on

Caching question - anyone cache/cookie roles in .net web app? HttpContext etc?

Hello all,

I have an MVC application and in the app I have a custom AuthorizeAttribute.   In this method that gets called a good amount I run a query to check if the logged on user User.Identity.Name is in a SQL table.  That is the first check then if that is valid I think check if a role exists in a SQL role table and pass back simply a true boolean else false.

Is there a way to cache this like in the HttpContext somewhere?  So even though the method will always get called to check the role I can first check if the roles are in cache or a cookie etc. instead of making the database call again.   The same for the first check if the user is a valid user.  I tried like setting the HttpContext user IsAuthenticated property but that is not allowed.  I think there is a way to set the IPrincipal or something.   The idea is I don't want to use the role and membership provider I want to cache these somehow or put them in the right cookie similar but not have to stub out all the interface methods with Not implemented etc.
Avatar of Gary Davis
Gary Davis
Flag of United States of America image

Caching can help reduce hits to Sql Server dramatically for the case you describe and many others. Use the Asp.Net Cache object to save the user's information. Prior to accessing Sql, retrieve the cache's info and if null, call Sql to get it and then stick the response fields into cache for next time. The cache key is important - it should identify the parameters passed to Sql such as the UserID.

The cache object should be set to expire in a few minutes with a sliding expiration which will keep it in cache as long as the user keeps requesting it (every page, probably). If the user changes his password, you should expire or update the cache object.

Possible useful: http://forums.asp.net/t/1004454.aspx

Gary Davis
Avatar of Stephan
If you use formsauthentication you can set userdata in the formsauthenticationticket
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx

This userdata object is of type string.

Another way I mostly use is HttpContext.Current.Items and add a item to this collection on each request (so you can access it multiple times in the same request/context).

You can also cache the user object in the HttpContext.Current.Cache to prevent more round trips to the database.
http://msdn.microsoft.com/en-us/library/system.web.caching.cache.aspx
Make sure that the cache objects are identified with a key you can recreate like "GetUserById_1"
Avatar of sbornstein2
sbornstein2

ASKER

I am using Windows Auth then I take the User.Identity.Name and query sql server to validate if the user is valid in a table called User then I enumerate through a Role table in SQL server.   I am not sure exactly best place to store first the user was validated and then second the roles.
So if I understand this correctly, you are using identity impersonation and not through NTLM?

So the user is automaticly authenticated if it is inside the domain? and there is no login screen for the user?

If you are using a login screen (for example; NTLM), you can get the roles once and set them in the authenticationtoken and retrieve them without calling the sql database.
Correct Stephan.   IIS has anonymous disabled and windows auth enabled.   I don't want to lock down only certain users to the server or via AD etc.   So anyone can hit the site but the SQL User table is where I am going to validate if the user has access to the site.  I store the user domain username in that table.  So I think compare the User.Identity.Name against that table to validate the user is valid or not.   Then I store roles in a Roles table.   Two things I am looking at now is the CustomIdentity and CustomPrincipal as I was hoping to leverage maybe the IsAuthenticated but of course the User context this is always set to true and I can't change it.    I am also wondering if I should look into using claims but that seems overkill only because I have a total of 40 users and it is all inside the firewall Intranet based only.
ASKER CERTIFIED SOLUTION
Avatar of Stephan
Stephan
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks