Re: Role Providers Cache

If you have sticky session support, then you can use in process session
state. If not, you would need to use out of process and either configure
the state server or SQL server, depending on your needs. Getting the state
server up and running isn't really a big deal and doesn't require any
additioanl software, as it comes with ASP.NET.

Best of luck!

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Tom" <Tom@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:02742262-352C-407C-8B25-24493040CA18@xxxxxxxxxxxxxxxx
Ok think you answered all my question thanks a lot. Looks like we have
to
do our own cache using the cache management API. Also have to make sure
we
want to manage session. Some issue on how production support wants to set
up
in production. We have a farm but not sure if they want to have a cache
Server. But our reverse proxies do have some sort of sticky sessions.

Thanks
Tom

"Joe Kaplan (MVP - ADSI)" wrote:

I'm not sure about the max size of the cookie, but you could look that
up.

It seems like if you want to use the built-in stuff, the session-based
caching would give you a good security blanket here, with the possible
downside of less scalability and more consideration required in a server
farm environment with out of process session state.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Tom" <Tom@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CA624428-350F-4AED-9067-18A412AFFD80@xxxxxxxxxxxxxxxx
Thanks for the reply.

The provider we need to write may be a short term once the Web site
with
over 200 functions (applications) is rewritten from VB6/ASP to .NET.
The
current solution uses a DLL to access all the security roles in a
Novell
EDIR. Once the WEB site if fully .NET we may have some flexabilty to
use a
Auth Manager Role Provider or use the SQL Role provider (moving the
roles
to
SQL). But while in transistion it seems like th bes approach is to
use a
role provider using the DLL that as the source for the authorization.
We
have no way around the 200+ roles since each company(1200+) using the
web
site wants to secure the application for their user. Each company has
there
own data update and reporting function.

So my main concern was on the cache feature and the cookie was worried
we
may hit the limit on the cookie size and wonder if it worth caching the
data
in cookies if the data size get large.

Was thinking if we needed to cache the results that the session would
be
better ?
Or maybe no cache at all ? Or Cookie but how large is too large ?

Thanks
Tom

"Joe Kaplan (MVP - ADSI)" wrote:

What was the question you were trying to ask? It sounds like you know
the
options pretty well.

If you are trying to avoid using session state (always a good idea in
my
mind unless it is unavoidable), the cookie does sound like a good
idea,
but
it could be really big. You could create some sort of compression
type
of
thing where you have a big bitmap to represent the roles and then just
store
the values in the cookie as the representative byte array of the
roles.
Of
course, then you'd need some code to read and write the cookie in
order
to
turn those back into friendly representations internally.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Tom" <Tom@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:82C8D131-8E7B-482C-A852-192B8E9DFD73@xxxxxxxxxxxxxxxx
If you do not cache role provider to Cookies with the
cacheRolesInCookie="True" in your role provider configuration, will
it
default to cache to Session. We may have over 200 roles for some
users
and
I am concerned about the size of the cookie but would like the role
cached
if
posible. We will be writting our own role provider but would like
to
do
as
little as possible.

Thanks
Tom










.

Relevant Pages

  • Re: Role Providers Cache
    ... do our own cache using the cache management API. ... farm environment with out of process session state. ... Auth Manager Role Provider or use the SQL Role provider (moving the roles ... So my main concern was on the cache feature and the cookie was worried we ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Authorization question, w/ "Windows" authentication mode
    ... session is not available in Post/AuthenticateRequest - i would use the cache or a cookie ... if cookie i would use the userData field of the FormsAuth ticket - this gives you encryption and integrity protection + renewal for free ... it appears the Session object doesnt yet exist "Session_Start" is ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Sessions vs Cookies
    ... There is a session cookie which simply allows the server to identify the client and retrieve relevant session data for it. ... If cookies can be read or forged, it makes little odds whether you have the master key or all the little keys,. ... Suppose you only send the PHPSESSID: Now you cannot change a thing on the server, even if you have the 'master key'. ...
    (comp.lang.php)
  • Re: session wont timeout
    ... Maybe this is a session cookie issue? ... client browser there is this one: WSS_KeepSessionAuthenticated Expires: At ... If I kill the session cookie using IE Developer Toolbar, ... possible and IIS would throw another challenge. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Is it safe to store user_id in Session?
    ... What I was wondering is how safe it is to store user_id or username or ... session so I do not need to search the database all the time. ... OVERRIDING BASIC SESSION COOKIE AUTHENTICATION ... So what is described in the article only works for bad php scripts. ...
    (comp.lang.php)