Friday, 15 July 2011

asp.net mvc - Storing logged user data -



asp.net mvc - Storing logged user data -

working on mvc project, user inserts credentials in login form. other info user through webservice , storing this:

var result = client.getuser(gui); name = result.users.elementat(1).name; ... ... session["usercode"] = usercode; session["password"] = password; session["username"] = name; session["useremail"] = email; session["creationdate"] = creationdate; session["phonenumber"] = phone;

throughout app, whenever need, access these variables if need info in them. since i'm working on new project has 5 pages, wonder if i'll accessing them when project has dozens of pages or if shouldn't utilize session variables @ all.

is there improve way store logged user data?

first things first: don't ever store user password in session - horrible security issue!

if building application now, highly recommend using identity framework. there can add together claims user identity. list of claims dictionary of string string. , can claims whenever you'd like.

so can add together claim user phone number, email , creation date easily, have extension methods info out:

public static bool getemail(this claimsprincipal principal) { if (principal == null) { homecoming false; } var emailclaim = principal.claims.singleordefault(c => c.type == "email"); if (emailclaim == null) { homecoming string.empty; } homecoming emailclaim .value; }

and phone call method this:

claimsprincipal.current.getemail()

claims next user in cookie encrypted.

upd: should not store password in session because should not need after authentication. 1 time user validated , auth cookie set, should remove password memory. if maintain in session after authentication, there situation when session info exposed 1 of scenarios can think of exception stacktrace dumped elmah, , elmah exposes session variables in plain text. situation when glimpse used - shows session data.

as social aspect of identity - can safely ignore , build app internal list of users. i've migrated 1 of projects membershipprovider identity , did not take dependencies on social auth.

as vs2010 (why not upgrade?), identity takes dependency on entity framework 6.1, not depend on mvc or else, there should no problems that, unless using database first ef, in case ef6.1 tooling might not work vs2010. however, have not tried in vs2010 , suggest create tiny test project in vs2010 simulates identity integration site.

asp.net-mvc session-variables

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)