asp.net-mvc


ASP.Net MVC 2 authentication (login) best practices


I am developing an ASP.Net MVC 2 application as a composite application in SalesForce.com. For those not familiar with SalesForce.com it is a CRM platform on the internet. What the composite application is it simply is shown inside an iframe in a separate tab.
So when the user logs in to salesforce.com that user sees a bunch of tabs. My application is available when the user clicks on my application's tab. Then SalesForce.com passes in the url to my app salesforce's session id which I can use to access salesforce data without requiring the user to log in.
I have probably lost a lot of users who would just say: "hey this is salesforce.com specific question ask them".
Well it is not salesforce specific I think.
Ok to carry on, people advice that ASP.Net MVC 2 authentication should be persisted in a cookie on the user's client machine. So basically I persist the user's id in a cookie then if I need information about the user I just retrieve that.
In my case I see two problems:
1. I do use the client's information quite often so I do not want to query salesforce.com every time for that. Is it a good idea to serialize and encrypt user's information in a cookie? Also users information is an object with two object properties: one containing a bunch of primitives and enums to describe the salesforce user and another one that contains a bunch of primitives and enums to describe the user in my local app.
2. My app runs from within an iframe and as far as I know there will be problems storing a cookie on the user's machine. I am not sure if that is true. Also when a user logs out of salesforce my cookie should be invalidated/deleted from the user's machine.
What I am doing right now is I am storing all users information in the session and without cookies involved. I just cannot figure out why would that be a bad idea. I mean I have read information about session hijacking and session expiration.
But in terms of session hijacking if I encrypt and store user's id in a cookie and keep the user's object in cache and somebody steals the session that somebody gets the cache too and takes the user's object right?
In terms of session expiration there must be a way to take care of that I am not sure exactly how it is done but I know that it could be done in ASP.Net. Persist in SQL server probably.
Any help on figuring what the best practice about authentication in ASP.net MVC 2 in the current context (remember my app is an iframe) would be very much appreciated.
Regards,
Kos
I'm not familiar with ASP.Net MVC 2, but I know Salesforce pretty well, so hopefully I can offer some pointers. I'm not really sure how ASP.Net MVC 2 would be maintaining a session without any cookies, so I'm assuming there is at least a light-weight ASP session id cookie stored on the user's machine, which gets passed to the server on each request to fetch the actual cached user info and other session info. If that is the case, I'd recommend having Salesforce send the generated SFDC child session id into the iframe as you are doing and then store that on your end in the ASP session. For subsequent calls, the only thing that would be be passing back and forth to your server would be the lightweight ASP session id, which you could then use to access to SFDC session id and other info.
As far as your requirement to kill the ASP session when the user logs out, there is not a great way to do this directly (i.e. no hook on logout), but since the generated SFDC session id that was passed to your iframe was a child of the UI session, it should be invalidated when the user logs out. That means that your app won't be able to access SFDC anymore, but if you also want to kill the ASP session, you could validate the ASP session on each request by validating the SFDC session (send a simple API call like getServerTimestamp()) and if you want to be even more aggressive, you could poll SFDC to see if the session is still valid every n minutes.

Related Links

Visual Studio 2015 MVC razor HTMLHelper intellisense doesn't work for upgraded project
Bootstrap multiselect returning csv instead of array on post
Nopcommerce - how to set up Admin in new project
Simple IdentityServer3/OpenIdConnect solution not working - HTTP 401.0 - Unauthorized
Kendo UI MVC tabstrip loadcontent from not loading content sometimes randomly
I want to show details of any record using generic repository pattern
Adding Params to Paging Links (.Net MVC)
FOREIGN KEY constraint may cause cycles or multiple cascade paths [error message]
There is no ViewData item of type 'IEnumerable<SelectListItem>
ASP.NET MVC User role in Angular2
understanding Asp .net MVC basic concept
Devexp - read MS word doc
EnumDropDownListFor when one of the Enum values is 0?
Why do AutoFac delegate factories registered InstancePerRequest get called each time a type is injected
How to pass object as parameter in Web Api
Razor helper to render tr for property in List

Categories

HOME
sbt
matlab
mocking
music
codenameone
ssl-certificate
apache-pig
parse.com
xquery
openvpn
apple-mail
telerik
asp.net-mvc-3
base
struts2-jquery
prestashop-1.7
asciidoc
boxfuse
wavelet
facebook-opengraph
smartsheet-c#-sdk-v2
lag
imp
android-dialogfragment
syswow64
jmespath
flow
zap
thrift
rational
netlify
hough-transform
mediator
background-subtraction
desktop-app-converter
rrd
simple-html-dom
mediacodec
temp
angular2-databinding
chai
jdk1.6
increment
bits
spring-saml
nomenclature
jpype
simplesamlphp
manifoldjs
vega-lite
html-form
federation
infiniband
maven-versions-plugin
graph-traversal
ultratree
vb4android
finalcut
restbed
enhanced-ecommerce
jongo
ane
coldfusion-10
many-to-one
nbug
selectsinglenode
spatial-index
pencilblue
twitter-follow
horizontalscrollview
imake
sbrk
laravel-validation
asf
dataformat
modalpopupextender
pydatalog
mongo-shell
inputview
pdf-scraping
confirmation
external-dependencies
xhtml-transitional
capitalize
google-authorship
nspersistentdocument
xsocket
doophp
zmodem
ondraw
f2c
soapheader
directoryentry
cluetip
wiki-markup
symstore
n900
anemic-domain-model
development-machine
crc-cards
nhaml
mud

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App