ASP.NET MVC - Save User Permissions

0

I'm developing my first application in .net MVC.

Normally when working with Web form, after the user logs in his information (name, email, permissions, etc.) was saved in the session. In this way, with each request it was possible to validate if it was actually allowed to access a page or functionality without having to read the database again.

I have been reading some posts related to not using Session to store this type of information, since it can compromise the scalability of the application. Based on this, what would be the best way to store logged in user information? How do I validate permissions when a request arrives on the server?

    
asked by anonymous 12.10.2016 / 20:22

2 answers

1

The best thing to do in MVC is to use Identity. I had made my own access control but I surrendered to Identity from version 2.x because it is much more flexible than in previous versions. It uses the database, when you create a new application and register a user it will automatically create a local express database in your application and create the tables and register this new user. But you can also write these tables to an external bank and change the connection string to this bank, so you have your access control in your own database. Here is a link that will explain step by step the Identity: link

    
12.10.2016 / 22:40
0

Currently the best authentication / authorization model is through a token, which is passed through the request header.

There is a specification that addresses this, is OpenID Connect (OIDC) .

Large players use this specification so you can integrate and use their sign-in service ( Google by example).

Although I advise you to use OIDC, I do not advise you to implement the specification. Look for Identity Server 4 (identityserver4) and see the examples they have in the github repository.

Using OIDC you will have support for webforms, mvc, spa, console, mobile applications.

At the end of the day, you will outsource the login process of your application, delegating that work to another application and maintaining a trust relationship between the applications.

    
12.10.2016 / 23:10