All geek questions in one place

Choose between asp identity claims and session data

I am trying to make a choice between storing user-specific data in my MVC application, either as identification applications or as session data, in order to reduce the number and frequency of requests to databases. However, given considerations of performance, security, and other recommendations, I don’t know which route to take.

I would be grateful for any suggestions on this subject.

+5
source share
2 answers

IMO (and this is just my opinion) based on what I know about requirements, cookie rules and storage rules:

Performance. I have never seen the difference between the Claims and Session repositories (unless the cookies get bigger out of a lot of complaints), both of them seem to be about the same as speed (they both have to go look for data from some place (CLaims = cookie, session = server drive storage), as for the best estimate, which will fall according to how the MUCH data should be stored.

From what I saw in my experience (correct me if I am mistaken), but the session data is stored on the disk on the server and basically only have your hard disks on the hard disk for size restrictions, etc., whereas cookies they have a strict limit on the size of the encoded data and the larger number of applications that you store is more than cookies, so if you said that it maximizes this cookie, the client can see that it is amazingly performance because it sends all the data cookie in each request to the site where and in the session, the server scans the data locally, and less data is sent to the browser.

so my opinion on best practice is that your saved data to save the search in the database is a small footprint, then there really is no best practice for this, just use whatever you prefer, BUT if you store a lot of bits , especially rows in my opinion, a session would be best practice as it saves the data back and forth between the client / server and has no size limit that you can push at some point and then pull out your hair wondering why your data is missing. (he did this himself in the past, because if the cookie is too large, the client simply silently refuses it and takes 3 days to understand that this is the size of the cookie).

+2
source

How you store user data for your application is very dependent on the application itself. But as a guideline, using claims-based authentication and storing claims in a session cookie is a very common approach. Look at the asp.net id - http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity

You should be able to optimize the data stored in the session cookie. For example: if your application should always display the username on each page, you may receive a request for the name in the session cookie. But if you need to display other user information, such as address, company, etc. .... on only one page "user profile", you can request this data in the database using the request "nameidentifier" stored in session cookie. If you look at the ASPNET identifier, you will see that you will not need to work with the session cookie directly as a cookie authentication middleware to make sure claims are accessible through the MVC User (or ClaimsPrinciple.Current) property of the controller. You must decide which requirements should be available for all requests through the user property and which user properties should be requested through some userInformation database. Of course, you must store the key (name identifier or email address) in the userInformation database in the claims so that you can query the database at any time.

+4
source

Source: https://habr.com/ru/post/1242393/

More articles:


All Articles