Can I just use Session[“role”] = “theRole”, or that would be a bad practice, so I would create my custom authorize attribute where I’m going to look into the Session
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Can I just use Session[“role”] = “theRole”, or that would be a bad practice, so I would create my custom authorize attribute where I’m going to look into the Session
I would advise against it. .Net already has plenty of built in functionality to implement security features. Don’t re-invent the wheel, especially where security is concerned.
You do not need to implement a membership provider. All you need to do is set
HttpContext.Userto a custom IPrincipal and you can useUser.IsInRole("role")and[AuthorizeAttribute(Roles="role")].I would suggest role information is more suited to the authorization ticket than the session. Storing the data in the session could cause added problems of syncing the session lifespan with the authorization ticket lifespan. The session could possibly expire while the user is still logged in.