Solved

Caching question - anyone cache/cookie roles in .net web app?  HttpContext etc?

Posted on 2013-05-25
7
214 Views
Last Modified: 2013-06-13
Hello all,

I have an MVC application and in the app I have a custom AuthorizeAttribute.   In this method that gets called a good amount I run a query to check if the logged on user User.Identity.Name is in a SQL table.  That is the first check then if that is valid I think check if a role exists in a SQL role table and pass back simply a true boolean else false.

Is there a way to cache this like in the HttpContext somewhere?  So even though the method will always get called to check the role I can first check if the roles are in cache or a cookie etc. instead of making the database call again.   The same for the first check if the user is a valid user.  I tried like setting the HttpContext user IsAuthenticated property but that is not allowed.  I think there is a way to set the IPrincipal or something.   The idea is I don't want to use the role and membership provider I want to cache these somehow or put them in the right cookie similar but not have to stub out all the interface methods with Not implemented etc.
0
Comment
Question by:sbornstein2
  • 3
  • 3
7 Comments
 
LVL 18

Expert Comment

by:Gary Davis
ID: 39197727
Caching can help reduce hits to Sql Server dramatically for the case you describe and many others. Use the Asp.Net Cache object to save the user's information. Prior to accessing Sql, retrieve the cache's info and if null, call Sql to get it and then stick the response fields into cache for next time. The cache key is important - it should identify the parameters passed to Sql such as the UserID.

The cache object should be set to expire in a few minutes with a sliding expiration which will keep it in cache as long as the user keeps requesting it (every page, probably). If the user changes his password, you should expire or update the cache object.

Possible useful: http://forums.asp.net/t/1004454.aspx

Gary Davis
0
 
LVL 16

Expert Comment

by:Stephan
ID: 39199638
If you use formsauthentication you can set userdata in the formsauthenticationticket
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx

This userdata object is of type string.

Another way I mostly use is HttpContext.Current.Items and add a item to this collection on each request (so you can access it multiple times in the same request/context).

You can also cache the user object in the HttpContext.Current.Cache to prevent more round trips to the database.
http://msdn.microsoft.com/en-us/library/system.web.caching.cache.aspx
Make sure that the cache objects are identified with a key you can recreate like "GetUserById_1"
0
 

Author Comment

by:sbornstein2
ID: 39200036
I am using Windows Auth then I take the User.Identity.Name and query sql server to validate if the user is valid in a table called User then I enumerate through a Role table in SQL server.   I am not sure exactly best place to store first the user was validated and then second the roles.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 16

Expert Comment

by:Stephan
ID: 39200348
So if I understand this correctly, you are using identity impersonation and not through NTLM?

So the user is automaticly authenticated if it is inside the domain? and there is no login screen for the user?

If you are using a login screen (for example; NTLM), you can get the roles once and set them in the authenticationtoken and retrieve them without calling the sql database.
0
 

Author Comment

by:sbornstein2
ID: 39201157
Correct Stephan.   IIS has anonymous disabled and windows auth enabled.   I don't want to lock down only certain users to the server or via AD etc.   So anyone can hit the site but the SQL User table is where I am going to validate if the user has access to the site.  I store the user domain username in that table.  So I think compare the User.Identity.Name against that table to validate the user is valid or not.   Then I store roles in a Roles table.   Two things I am looking at now is the CustomIdentity and CustomPrincipal as I was hoping to leverage maybe the IsAuthenticated but of course the User context this is always set to true and I can't change it.    I am also wondering if I should look into using claims but that seems overkill only because I have a total of 40 users and it is all inside the firewall Intranet based only.
0
 
LVL 16

Accepted Solution

by:
Stephan earned 500 total points
ID: 39201177
Well, that the user is authenticated because he is identified as a user is true. So that should be ok. What you can do is working only with roles. That a user should have "User" as role for all pages.

You can setup a custom roleprovider:
http://msdn.microsoft.com/en-us/library/317sza4k(v=vs.90).aspx

What you can do also is getting the roles of the user (if it exists) and set them into a cookie (make sure it is encrypted so they cannot change it).

then use that cookie to implement the custom roleprovider
0
 

Author Closing Comment

by:sbornstein2
ID: 39244755
thanks
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now