All geek questions in one place

Session vs. Cookie vs. Custom IPrincipal

I am working on a project in which some registered users have a special page where they can select a URL. When a user logs in, I would like to display the link β€œView my page”. I’m just wondering what is the best way to save this, bearing in mind that it should be available as long as the user logs in (the site also has a β€œremember me” function). Will there be a session variable variable? or cookies? Or custom IPrincipal?

Many thanks

Matt

UPDATE:

What do you guys use to use the UserData string that you can save with an authentication cookie? It seems to satisfy my requirements, but I cannot say that I know a lot about it.

+4
source share
3 answers

Thanks guys, however I ended up using the UserData string, which you can save with the authentication cookie. This way, I know that data will always be available until the user is authenticated. And since I only need to remember simple data (users url), this seems like a good solution.

Anyone who has the same issue can find more information here:

http://www.asp.net/learn/security/tutorial-03-cs.aspx (see step 4)

+1
source

Form authentication (cookie based) should be sufficient. Here you can read about using FormsAuthentication with a custom IPrincipal:

ASP.NET 2.0 Form Authentication - Keeping it Custom Still Easy

This page talks about how forms authentication works:

Explanation: Form Authentication in ASP.NET 2.0

When using forms authentication, you have the Authorize attribute to restrict access to controllers and actions. It works very well. Your own IPrincipal is not needed. I would not use Session because it can be easily lost.

+2
source

If you mean that you want to display a different user URL for each user, and you just want to cache this URL, then you need to consider a few things:

  • If you are using a session value or a cookie, then you need a code for the possibility that the value is not present. Both the server session and the browser session may expire, and the user can still log in.

  • If you use a cookie, you might consider setting the cookie expiration time to the same as the validity cookie, but this still does not guarantee accessibility.

  • The cookie value will not be safe ; it can be changed. Session value will be safe.

  • If you use user form authentication, you can save the URL in the authentication cookie itself and then upload it to the user IPrincipal. I would advise against this, as I do not think this is the right place.

If you are simply trying to cache the URL, then as long as your code retrieves the data when this value is missing, the session value or cookie will be fine depending on the security level.

If I read this incorrectly and you just want to show / hide the link depending on whether the user is allowed or not, you can simply use

<% if (User.Identity.IsAuthenticated) { %> <a href="/MyPage">view my page</a> <% } %>

And your MyPage action in your controller displays a dedicated page for the user.

0
source

Source: https://habr.com/ru/post/1300434/

More articles:


All Articles