I’m working on a Web project using Asp.Net MVC, which I’ll have to deploy to a farm environment.
I’ve read a lot of articles and I’m thinking on disabling completely the SessionState, I think this would make a more robust application, and will save me a couple of headaches (Everything I’ve read tells me that handling sessions on a farm isn’t trivial).
There are some things that I still don’t have totally clear with this approach though, the main one being the authentication/authorization process. Basically I’m not sure of how (if?) I can handle user sessions if there’s no SessionState enabled on the server.
If a user logs into the web site and then tries to access another page, how can I know that the user is already logged in?
I know using cookies is insecure, I thought of a mix of cookies with the session Id stored in the DB, but I suppose that if I disable SessionState I won’t have access to the session id either.
What’s the best approach on this? Is there any recommended book/article you can point me to so I can get this clear?
Thanks a lot for your help
I think use Forms Authentication for this this will be manage your logged in user name and you can also set authorization through this.
http://msdn.microsoft.com/en-us/library/ff647070.aspx
http://msdn.microsoft.com/en-us/library/xdt4thhy.aspx
http://www.codeproject.com/KB/web-security/formsroleauth.aspx
http://www.beansoftware.com/ASP.NET-Tutorials/Forms-Authentication-Active-Directory.aspx
These links are ans of your each question. Through this you can manage role authorization and session