Reputation: 787
ASP.NET MVC - Authenticate once and only once until session out
Setup
I am using custom Forms Authentication - all standard stuff.
In the Login action on my Account controller,
- I check the user's details against the db
- If successful I create a Forms Authentication ticket
- Store the logged in members db row id in UserData in the ticket
- Encrypt the ticket
- Store the ticket in a cookie
- Add the cookies to the Reponse.Cookies collection
- Redirect to Index Action on Home Controller
I registered a handler in global asax for the AuthenticateRequest event. In my handler,
- I retrieve the cookie from HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
- If the cookie exists I decrypt the value of the Forms Authentication ticket in the cookie
- Retrieve the user's details from the db using the Id stored in the authentication ticket UserData.
- Create a custom principal and set the user (it has a custom LoggedInUser property) to the user I retrieved from the db.
- Set the HttpContext.Current.User to the custom principal
Problem
I debug a request for the home page after I have logged in and note that the AuthenticateRequest handler in global.asax is hit more than once per page request. I've checked the HttpContext.Current.Request.Path and this is because each resource on my page (effectively, every HTTP GET) is firing the authenticate requet, so, GET jquery.js, GET logo.png etc...
Question
On the first handled AuthenticateRequest I go to the db and then set the HttpContext.Current.User to my custom principal. What would be a good way to avoid going to the db for subsequent HTTP GETs that cause the AuthenticatRequest to fire. Effectively, authenticate once and once only until the user closes their browser or until the Authentication Ticket expires.
TIA
Upvotes: 0
Views: 1558
Answers (1)
Reputation: 1039130
Instead of using the AuthenticateRequest method in your Global.asax I would recommend you writing a global action filter. This way the action filter will apply only before executing some action and populate the User. In fact a custom [Authorize] attribute is the best way to achieve that:
public class MyAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var authorized = base.AuthorizeCore(httpContext);
if (!authorized)
{
return false;
}
// TODO: go ahead and work with the UserData from the authentication cookie
// basically all the steps you described for your AuthenticateRequest handler
// except for checking the presence of the forms authentication cookie because
// we know that at this stage it exists and the user was successfully authorized
return true;
}
}
Upvotes: 1
Related Questions
- ASP.NET MVC Authentication by redirection to the login page and then back
- MVC 5 session after authentication
- .NET Forms Authentication logging out users before timeout
- ASP.NET MVC Logout with Form Authentication
- MVC3: C# Forms Authentication and Session State
- ASP.NET prevent the same user being logged in multiple times
- ASP MVC how to log off but remain on the same page
- 2-Step Authentication in ASP.Net MVC
- Authenticated user and multiple requests (IIS7 MVC3)
- ASP.NET MVC permitting only one logged in user