Hello,
I am currently playing with form authentication & role based
security on a web application.
As seen in the starter kit Time tracker, I setup a custom identity
class (CustomPrincipal) because i wanted some extra info about the
current user,
i need this extra information to be available in pages without having
to query the database at each page request.
I followed the above samples, and setup the following:
I created a CustomPrincipal class with extra properties (code
shortened for readability)
Public Class CustomPrincipal
Implements IPrincipal
...
Public Sub New(ByVal identity As IIdentity, ByVal
Roles() As String)
Public ReadOnly Property Identity() As IIdentity
Implements IPrincipal.Identity
Public Property Name() As String
Public Property Roles() As String()
Public Property UserID() As Integer
Public Property FullName() As String
...
End Class
When the user authenticate through the login form,
i save the authentication cookie, where i included some extra user
info with the roles in the "userdata" field (string delimited)
I can then get this userdata information back in the global.asax
Application_AuthenticateRequest event,
[code:1:6c073b2f24]Dim authTicket As FormsAuthenticationTicket =
FormsAuthentication.Decrypt(authCookie.Value)
Dim UserInformation As String() =
authTicket.userData.Split(";")
Dim roles As String() =
UserInformation(0).Split("|")
Dim id As FormsIdentity = new FormsIdentity(authTicket )
[/code:1:6c073b2f24]
create a CustomPrincipal and assign it to the to the current request
[code:1:6c073b2f24]Dim myPrincipal As New CustomPrincipal (id,
roles)
myPrincipal.UserID =
Ctype(UserInformation(1),integer)
myPrincipal.FullName =
Ctype(UserInformation(2),String)
myPrincipal.ParentCompany =
Ctype(UserInformation(3),Integer)
...
Context.User = myPrincipal[/code:1:6c073b2f24]
It is working very well, but by doing so, all information is stored in
the authcookie... where the size is very limited...
My question is what about the following
approach:
I would like to use a UserInfo class
[code:1:6c073b2f24]Public Class UserInfo
Public UserID As Integer = 0
Public UserLevel As Integer = 0
Public Firstname As String = ""
Public Lastname As String = ""
Public Email As String = ""
Public ParentCompany As Integer = 0
.... and many other properties
End Class[/code:1:6c073b2f24]
Build my CustomPrincipal with it
[code:1:6c073b2f24]Public Class CustomPrincipal
Implements IPrincipal
Protected _Identity As IIdentity
....
Public Sub New(ByVal identity As IIdentity, ByVal
Roles() As String)
_Identity = identity
_arUserRoles = Roles
End Sub
Public ReadOnly Property Identity() As IIdentity Implements
IPrincipal.Identity
Get
Return _Identity
End Get
End Property
Public ReadOnly Property IdentityInfo As UserInfo
Get
Return User.GetInfo(Me.Identity.Name)
End Get
End Property
End Class
Class User
Public shared Function GetInfo(byVal username as string) As
UserInfo
Dim _UserInfo As userInfo
If Session("UserInfo") Is Nothing Then
' build objUserInfo from database
' save the objUserInfo
in Session
Session("UserInfo") = objUserInfo
Else
_UserInfo =
Ctype(Session("UserInfo"),UserInfo)
End If
Return _UserInfo
End Function
End Class[/code:1:6c073b2f24]
So i could store many more information than in the cookie and access
it in all pages through my CustomPrincipal.IdentityInfo
[b:6c073b2f24]What would be the pros & cons of
doing this way ?
Why are all samples relying only on the authentication cookie and not
on session variables to store the identity userdata
?[/b:6c073b2f24]
many many thanks,
Luc
ps: still at the beginning of learning asp.net, so please forgive
errors ;-)
*-----------------------*
Posted at:
www.GroupSrv.com
*-----------------------*
