ASP.NET MVC - Save User Permissions

The best thing to do in MVC is to use Identity. I had made my own access control but I surrendered to Identity from version 2.x because it is much more flexible than in previous versions. It uses the database, when you create a new application and register a user it will automatically create a local express database in your application and create the tables and register this new user. But you can also write these tables to an external bank and change the connection string to this bank, so you have your access control in your own database. Here is a link that will explain step by step the Identity: link

Currently the best authentication / authorization model is through a token, which is passed through the request header.

There is a specification that addresses this, is OpenID Connect (OIDC) .

Large players use this specification so you can integrate and use their sign-in service ( Google by example).

Although I advise you to use OIDC, I do not advise you to implement the specification. Look for Identity Server 4 (identityserver4) and see the examples they have in the github repository.

Using OIDC you will have support for webforms, mvc, spa, console, mobile applications.

At the end of the day, you will outsource the login process of your application, delegating that work to another application and maintaining a trust relationship between the applications.