469,927 Members | 1,356 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,927 developers. It's quick & easy.

Form authentication & Custom Principal implementation

Hello,
I am currently playing with form authentication & role based
security on a web application.

As seen in the starter kit Time tracker, I setup a custom identity
class (CustomPrincipal) because i wanted some extra info about the
current user,
i need this extra information to be available in pages without having
to query the database at each page request.

I followed the above samples, and setup the following:

I created a CustomPrincipal class with extra properties (code
shortened for readability)
Public Class CustomPrincipal
Implements IPrincipal
...
Public Sub New(ByVal identity As IIdentity, ByVal
Roles() As String)
Public ReadOnly Property Identity() As IIdentity
Implements IPrincipal.Identity
Public Property Name() As String
Public Property Roles() As String()
Public Property UserID() As Integer
Public Property FullName() As String
...
End Class
When the user authenticate through the login form,
i save the authentication cookie, where i included some extra user
info with the roles in the "userdata" field (string delimited)

I can then get this userdata information back in the global.asax
Application_AuthenticateRequest event,

[code:1:6c073b2f24]Dim authTicket As FormsAuthenticationTicket =
FormsAuthentication.Decrypt(authCookie.Value)
Dim UserInformation As String() =
authTicket.userData.Split(";")
Dim roles As String() =
UserInformation(0).Split("|")
Dim id As FormsIdentity = new FormsIdentity(authTicket )
[/code:1:6c073b2f24]

create a CustomPrincipal and assign it to the to the current request

[code:1:6c073b2f24]Dim myPrincipal As New CustomPrincipal (id,
roles)
myPrincipal.UserID =
Ctype(UserInformation(1),integer)
myPrincipal.FullName =
Ctype(UserInformation(2),String)
myPrincipal.ParentCompany =
Ctype(UserInformation(3),Integer)
...
Context.User = myPrincipal[/code:1:6c073b2f24]

It is working very well, but by doing so, all information is stored in
the authcookie... where the size is very limited...

My question is what about the following
approach:

I would like to use a UserInfo class

[code:1:6c073b2f24]Public Class UserInfo

Public UserID As Integer = 0
Public UserLevel As Integer = 0
Public Firstname As String = ""
Public Lastname As String = ""
Public Email As String = ""
Public ParentCompany As Integer = 0
.... and many other properties

End Class[/code:1:6c073b2f24]
Build my CustomPrincipal with it

[code:1:6c073b2f24]Public Class CustomPrincipal
Implements IPrincipal
Protected _Identity As IIdentity
....

Public Sub New(ByVal identity As IIdentity, ByVal
Roles() As String)
_Identity = identity
_arUserRoles = Roles
End Sub

Public ReadOnly Property Identity() As IIdentity Implements
IPrincipal.Identity
Get
Return _Identity
End Get
End Property

Public ReadOnly Property IdentityInfo As UserInfo
Get
Return User.GetInfo(Me.Identity.Name)
End Get
End Property

End Class
Class User

Public shared Function GetInfo(byVal username as string) As
UserInfo

Dim _UserInfo As userInfo

If Session("UserInfo") Is Nothing Then

' build objUserInfo from database
' save the objUserInfo
in Session

Session("UserInfo") = objUserInfo
Else
_UserInfo =
Ctype(Session("UserInfo"),UserInfo)
End If

Return _UserInfo

End Function

End Class[/code:1:6c073b2f24]

So i could store many more information than in the cookie and access
it in all pages through my CustomPrincipal.IdentityInfo
[b:6c073b2f24]What would be the pros & cons of
doing this way ?
Why are all samples relying only on the authentication cookie and not
on session variables to store the identity userdata
?[/b:6c073b2f24]

many many thanks,

Luc

ps: still at the beginning of learning asp.net, so please forgive
errors ;-)

*-----------------------*
Posted at:
www.GroupSrv.com
*-----------------------*
Nov 18 '05 #1
2 4544
"lucd" <ld********@cpexpo-dot-com.no-spam.invalid> wrote in message
news:41**********@Usenet.com...
Hello,

.... So i could store many more information than in the cookie and access
it in all pages through my CustomPrincipal.IdentityInfo
[b:6c073b2f24]What would be the pros & cons of
doing this way ?
Why are all samples relying only on the authentication cookie and not
on session variables to store the identity userdata
?[/b:6c073b2f24]


I suppose that I'd use your technique if I had a lot of information about
the user to store. If it was frequently accessed, and faster to access from
Session than from the database or from Cache, then sure, session works.

But, just how much information about a user do you want to carry around to
every single page? What percentage of that information is used on a typical
page? If most pages use only 20% of the information, then perhaps that 20%
should stay in the IPrincipal, and the rest should be in Session state. This
isn't a big deal, just a separation of responsibilities. If 80% of that data
isn't being used most of the time, then most of your pages shouldn't care if
you change the way that data is represented.

John Saunders
Nov 18 '05 #2
Sounds logical, thanks john

*-----------------------*
Posted at:
www.GroupSrv.com
*-----------------------*
Nov 18 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by francois | last post: by
3 posts views Thread by David B. Bitton | last post: by
1 post views Thread by David Kyle | last post: by
6 posts views Thread by Russell | last post: by
5 posts views Thread by Jon Skeet [C# MVP] | last post: by
reply views Thread by Benjamin Gufler | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.