Home/ Questions/Q 4105124
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T21:12:20+00:00

We have an MVC 2/Entity Framework app that is a replacement/rewrite of an existing

  • 0

We have an MVC 2/Entity Framework app that is a replacement/rewrite of an existing system. It’s been using ASP membership for security during development but now we need to replace this so it is compatible with the customers existing security infrastructure, partly to allow both old and new systems to run side by side for a while and also because they already have a process and system to setup customers and we can’t replace this yet.

The existing security centers around a table in the database that stores a certificate number mapped to a customerid. The customerid is then used to filter relevant data sent back in the UI.

My question is what is the most efficient way to go from certificate number to customerid. Each MVC controller action can grab the certificate number from the HTTPContext and do a look up in the security table to get the customerid but it seems inefficient to this on every controller action. The system could have 1000 concurrent users. We are thinking that it should work similiar to ASP.NET membership, where a username/password login generates a security token that is then placed in a cookie. Instead we would have the certificate replace the username/password login but it would still generate a security token.

The problem is we don’t know enough about this system to determine how to go about it, or even if it’s the best way forward. If anyone can offer any advice or pointers to how we would implement this it would be much appreciated.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Either

    1. add it to the users Session once you look it up so its available upon login.

    2. add it to the forms auth ticket (make sure you are patched for the POET vulnerability
      or this could be forged)

    or

    1. cache the table in memory and do you lookups as required. this might be ‘slightly’ less efficient than session if you are already using the session because you will then be locking two collections (normal session usage) and the collection you store this in will have to be synchronized.

    If you choose to store this information in the ticket you can create a CustomIdentity object to store this customer id in. 

     /// <summary>
        /// Deserializes the forms auth cookie with our userid, companyid, etc.
        /// </summary>
        /// <param name="sender">
</param>
        /// <param name="e"></param>
        void Application_PostAuthenticateRequest(object sender, EventArgs e)
        {
            HttpCookie authCookie = HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
            if (authCookie != null)
            {
                string encTicket = authCookie.Value;
                if (!String.IsNullOrEmpty(encTicket))
                {
                    FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(encTicket);
                    CustomIdentity id = new CustomIdentity(ticket);
                    //Assign the roles. If they aren't available, get from the session.
                    //The problem is when we use this custom principal it seems our roles arent populated.

                    GenericPrincipal principal = new GenericPrincipal(id, new string[] { "User" });

                    HttpContext.Current.User = principal;
                }
            }
        }

    After each request is authenticated via the forms auth ticket you can deserialize this information into a Customer IIdentity object which can then be read throughout the application via:

     int companyId = ((CustomIdentity)HttpContext.Current.User.Identity).CompanyId
    • 0