Re: Authorization question, w/ "Windows" authentication mode

I agree with D. You are really implementing a performance optimization
here, so cache is the most appropriate storage to use.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be631a1a338c869c44c7fc4c2@xxxxxxxxxxxxxxxxxxxxx
Hi,
session is not available in Post/AuthenticateRequest - i would use the
cache or a cookie

cache has the advantage of being self managed and server only
if cookie i would use the userData field of the FormsAuth ticket - this
gives you encryption and integrity protection + renewal for free

In both cases (a little easier with the cache) - you should periodically
check if the user is still valid and the group memberships are still OK -
otherwise you end up with stale information - especially if sliding
expiration is used.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Joe Kaplan (MVP - ADSI) wrote:

To avoid a database hit, you can use the cache or use session state
or perhaps a cookie

actually, i think the options may be limited to the Cache or a cookie.
it appears the Session object doesnt yet exist "Session_Start()" is
executed *after* "Application_AuthenticateRequest()".

i had thought perhap i could just check for Session being null, if so
grab from db, and that after page hit-one Session should then exist.
but...it doesnt. dah!

so it looks like Cache or cookie are the only options. if i did Cache
i supposed id use a unique key based off the userID, w/ a short
time-to-live.

matt





.

Relevant Pages

  • Re: Role Providers Cache
    ... If you have sticky session support, then you can use in process session ... do our own cache using the cache management API. ... Auth Manager Role Provider or use the SQL Role provider (moving the ... So my main concern was on the cache feature and the cookie was worried ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Identify User After Session Ends
    ... > session is timeout, we need to send a mail to him with his editing datas. ... > store in cookie to idenitfy him. ... > that use the Application Cache to store the user's data. ... > Expire Time and add EXpire event handler for cache object in asp.net. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Session state is not available in this context
    ... The reason that I can't use cache is I need role information for any single ... If I want to use cache then the index could be session id and also I have to ... > Another option with the cookie would be to encrypt it so the user cannot ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • [PATCH 1/4] Split general cache manager from CacheFS
    ... FS-Cache now mediates between cache backends and network ... +struct fscache_cache_ops; ... +void fscache_relinquish_cookie(struct fscache_cookie *cookie, ...
    (Linux-Kernel)
  • Re: Role Providers Cache
    ... do our own cache using the cache management API. ... farm environment with out of process session state. ... Auth Manager Role Provider or use the SQL Role provider (moving the roles ... So my main concern was on the cache feature and the cookie was worried we ...
    (microsoft.public.dotnet.framework.aspnet.security)