I am developing a new web application for the Windows Azure cloud, but have become confused by all the available guidelines, best pratices, storage possibilites, caching and security. I have watched a ton of videos, and read a ton of documentation, but the more I read, the more confusion is added to the layer of decision making. Here is what I what want:
1 – Develop a web application where users can login using a email/password combination. When logging in the user will have a session containing a combination of a UserID+CustomerID. The UserID+CustomerID will be used to display specific data for this user. The application is for law firms, so the security has to be very tight. The application will have 10000+ users, and maybe around 200-500 concurrently. I have read that ASP.NET Sessions should be stored in the Shared Caching service in order for Sessions not to be reset in case of a node upgrade/faulty node. As far as I understand there is 100 transactions per second limit on 128 mb cache – I am not sure this works – If I am getting Session data from the Cache will this count as one transaction?
In an old application I am using code like this (is this approach the right one for Azure, or should I develop some custom Session management system for handling? Any code samples?):
protected void CustomValidatorLogin_ServerValidate(object source, ServerValidateEventArgs args)
{
string result = String.Empty;
if (DataAccess.User_Logon(this.txtEmail.Text, this.txtPassword.Text, Request.UserHostAddress, Request.UserAgent, ref result)
{
args.IsValid = true;
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, this.txtEmail.Text, DateTime.Now, DateTime.Now.AddMinutes(Constants.sessionExpires), false, result);
HttpCookie cookie = null;
if (cbRemember.Checked)
{
FormsAuthenticationTicket sticket = new FormsAuthenticationTicket(1, result, DateTime.Now, DateTime.Now.AddMinutes(Constants.sessionExpires), false, result);
cookie = new HttpCookie(FormsAuthentication.FormsCookieName + Constants.cookiePrefix, FormsAuthentication.Encrypt(sticket));
cookie.Expires = DateTime.Now.AddYears(1);
}
else
{
cookie = new HttpCookie(FormsAuthentication.FormsCookieName + Constants.cookiePrefix, string.Empty);
cookie.Expires = DateTime.Now.AddYears(-1);
}
Response.AppendCookie(cookie);
FormsAuthentication.SetAuthCookie(result, false);
}
else
{
args.IsValid = false;
}
}
2 – Similar, according to this
http://www.windowsazure.com/en-us/develop/net/best-practices/security/
there is a ton of security considerations I should be aware of.
Could anybody recommend some code samples on how to create login
functionality taking these best-practices into?
3 – The system will allow users to save data (upload files) which can later be downloaded, deleted, updated. The files will both be user-specific (UserID), but also customer specific (CustomerID). A user can for example upload a file the only he will have access to (UserID), but he can also upload a file that will be available to the entire organization (the law firm) based on CustomerID. I am confused whether to choose BLOB or Tables and why. In addition what would then be the best practice to implement such functionality.
4 – I am thinking about using Enterprise Library for Data Access Layer – does anybody know a good video walkthrough for newcomers to Azure?
This is a awful lot of questions I know, but still hoping for some expert recommendations.
Cheers.
It sounds like you are making some key design decisions for a production application, so I would strongly encourage you to work with an expert and not rely on forum advice alone for something this fundamental.
Regarding item 1 (security), the security best practices article you referenced is a good one but it won’t make your decisions for you. As it points out, there are many ways to handle identity, and Windows Azure doesn’t make you do it a certain way. The most modern way to handle identity Is called claims-based security. If you go with claims-based security, you will need to decide who your identity provider (IP) is. That could be a domain (via Active Directory), a social-web network provider (such as Google or Yahoo or Facebook), or your own custom security token service backed by a credentials database. If you want to support multiple identity providers (so users have a choice of how they sign in), you would want to leverage Windows Azure’s Access Control Service as an intermediary. Make sure your IP(s) can provide the information you need to make good authorization decisions.
Regarding item 2 (security samples), I recommend trying out the hands-on labs in the Windows Identity Developer Training Kit. That will give you a good feel for what claims-based security is like.
Regarding item 3 (saving and retrieving file-oriented data) blob storage would be the logical service to use. You’ll need to provide an access layer and user interface in order to provide the security and sharing features you described.
Regarding item 4 (using Enterprise Library for Data Access on Windows Azure), this article may be helpful.