Thank you Brock! I had a fast overview on it and it was still buzzing in my head for some good reason it seems. Going to check.
Yea, security is hard/tricky... and there's a lot to keep in mind. It's also a lot of fun :)
manight
So you think the "cookie" solution should be viable performance/scalability wise, better then the SQL select on each request.
So the cookie approach is fine for most desktop-browser scenarios. If you're talking about mobile devices, then having 2 or 3 maxed out cookies then you might just want to do that caching in-memory on the server and rebuild the user's roles/claims/whatever
on each request (which is also fine). Correctness first, then performance :)
BrockAllen
All-Star
27530 Points
4905 Posts
MVP
Re: Using cookies for custom role provider
Apr 29, 2012 06:17 PM|LINK
Yea, security is hard/tricky... and there's a lot to keep in mind. It's also a lot of fun :)
So the cookie approach is fine for most desktop-browser scenarios. If you're talking about mobile devices, then having 2 or 3 maxed out cookies then you might just want to do that caching in-memory on the server and rebuild the user's roles/claims/whatever on each request (which is also fine). Correctness first, then performance :)
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/