ASP.Net MVC 2 authentication (login) best practices
I am developing an ASP.Net MVC 2 application as a composite application in SalesForce.com. For those not familiar with SalesForce.com it is a CRM platform on the internet. What the composite application is it simply is shown inside an iframe in a separate tab. So when the user logs in to salesforce.com that user sees a bunch of tabs. My application is available when the user clicks on my application's tab. Then SalesForce.com passes in the url to my app salesforce's session id which I can use to access salesforce data without requiring the user to log in. I have probably lost a lot of users who would just say: "hey this is salesforce.com specific question ask them". Well it is not salesforce specific I think. Ok to carry on, people advice that ASP.Net MVC 2 authentication should be persisted in a cookie on the user's client machine. So basically I persist the user's id in a cookie then if I need information about the user I just retrieve that. In my case I see two problems: 1. I do use the client's information quite often so I do not want to query salesforce.com every time for that. Is it a good idea to serialize and encrypt user's information in a cookie? Also users information is an object with two object properties: one containing a bunch of primitives and enums to describe the salesforce user and another one that contains a bunch of primitives and enums to describe the user in my local app. 2. My app runs from within an iframe and as far as I know there will be problems storing a cookie on the user's machine. I am not sure if that is true. Also when a user logs out of salesforce my cookie should be invalidated/deleted from the user's machine. What I am doing right now is I am storing all users information in the session and without cookies involved. I just cannot figure out why would that be a bad idea. I mean I have read information about session hijacking and session expiration. But in terms of session hijacking if I encrypt and store user's id in a cookie and keep the user's object in cache and somebody steals the session that somebody gets the cache too and takes the user's object right? In terms of session expiration there must be a way to take care of that I am not sure exactly how it is done but I know that it could be done in ASP.Net. Persist in SQL server probably. Any help on figuring what the best practice about authentication in ASP.net MVC 2 in the current context (remember my app is an iframe) would be very much appreciated. Regards, Kos
I'm not familiar with ASP.Net MVC 2, but I know Salesforce pretty well, so hopefully I can offer some pointers. I'm not really sure how ASP.Net MVC 2 would be maintaining a session without any cookies, so I'm assuming there is at least a light-weight ASP session id cookie stored on the user's machine, which gets passed to the server on each request to fetch the actual cached user info and other session info. If that is the case, I'd recommend having Salesforce send the generated SFDC child session id into the iframe as you are doing and then store that on your end in the ASP session. For subsequent calls, the only thing that would be be passing back and forth to your server would be the lightweight ASP session id, which you could then use to access to SFDC session id and other info. As far as your requirement to kill the ASP session when the user logs out, there is not a great way to do this directly (i.e. no hook on logout), but since the generated SFDC session id that was passed to your iframe was a child of the UI session, it should be invalidated when the user logs out. That means that your app won't be able to access SFDC anymore, but if you also want to kill the ASP session, you could validate the ASP session on each request by validating the SFDC session (send a simple API call like getServerTimestamp()) and if you want to be even more aggressive, you could poll SFDC to see if the session is still valid every n minutes.
MVC EF-Code First Approach: Create New Database for every new user registered?
How to have one button do both “enable” and “disable” in ASP.net MVC
IdentityServer3: OWIN Katana middleware is throwing “invalid_client” error as it cannot get a token
MVC 5 form with no action
Why is asp-route-id not working in my form post?
how to change date format sent in filter for kendo grid?
A property has a space and Href is ignorning everything after it
How to populate 2 DropDownListFor for Strongly Typed model
Ninject does not resolve my registered services
Hi,I want to use session in mvc.i implemented the same but i am getting model property as null.please help me [duplicate]
RedirectToAction() NullReference Exception ASP.NET MVC [duplicate]
VS.2017 Core template Carousel image size?
ASP.Net Core MVC [key] attribute field autoincrements improperly in database [duplicate]
MVC5 - How to know if an action input was completely empty
How to use #scripts.render( /bundles/jqueryval ) in partial view?
Is there a way to search users of application via userId while using Identity?