asp.net-mvc


ASP.Net MVC 2 authentication (login) best practices


I am developing an ASP.Net MVC 2 application as a composite application in SalesForce.com. For those not familiar with SalesForce.com it is a CRM platform on the internet. What the composite application is it simply is shown inside an iframe in a separate tab.
So when the user logs in to salesforce.com that user sees a bunch of tabs. My application is available when the user clicks on my application's tab. Then SalesForce.com passes in the url to my app salesforce's session id which I can use to access salesforce data without requiring the user to log in.
I have probably lost a lot of users who would just say: "hey this is salesforce.com specific question ask them".
Well it is not salesforce specific I think.
Ok to carry on, people advice that ASP.Net MVC 2 authentication should be persisted in a cookie on the user's client machine. So basically I persist the user's id in a cookie then if I need information about the user I just retrieve that.
In my case I see two problems:
1. I do use the client's information quite often so I do not want to query salesforce.com every time for that. Is it a good idea to serialize and encrypt user's information in a cookie? Also users information is an object with two object properties: one containing a bunch of primitives and enums to describe the salesforce user and another one that contains a bunch of primitives and enums to describe the user in my local app.
2. My app runs from within an iframe and as far as I know there will be problems storing a cookie on the user's machine. I am not sure if that is true. Also when a user logs out of salesforce my cookie should be invalidated/deleted from the user's machine.
What I am doing right now is I am storing all users information in the session and without cookies involved. I just cannot figure out why would that be a bad idea. I mean I have read information about session hijacking and session expiration.
But in terms of session hijacking if I encrypt and store user's id in a cookie and keep the user's object in cache and somebody steals the session that somebody gets the cache too and takes the user's object right?
In terms of session expiration there must be a way to take care of that I am not sure exactly how it is done but I know that it could be done in ASP.Net. Persist in SQL server probably.
Any help on figuring what the best practice about authentication in ASP.net MVC 2 in the current context (remember my app is an iframe) would be very much appreciated.
Regards,
Kos
I'm not familiar with ASP.Net MVC 2, but I know Salesforce pretty well, so hopefully I can offer some pointers. I'm not really sure how ASP.Net MVC 2 would be maintaining a session without any cookies, so I'm assuming there is at least a light-weight ASP session id cookie stored on the user's machine, which gets passed to the server on each request to fetch the actual cached user info and other session info. If that is the case, I'd recommend having Salesforce send the generated SFDC child session id into the iframe as you are doing and then store that on your end in the ASP session. For subsequent calls, the only thing that would be be passing back and forth to your server would be the lightweight ASP session id, which you could then use to access to SFDC session id and other info.
As far as your requirement to kill the ASP session when the user logs out, there is not a great way to do this directly (i.e. no hook on logout), but since the generated SFDC session id that was passed to your iframe was a child of the UI session, it should be invalidated when the user logs out. That means that your app won't be able to access SFDC anymore, but if you also want to kill the ASP session, you could validate the ASP session on each request by validating the SFDC session (send a simple API call like getServerTimestamp()) and if you want to be even more aggressive, you could poll SFDC to see if the session is still valid every n minutes.

Related Links

Unique connection id in Microsoft WebSockets
Reading HtmlHelper data without postback in MVC
ASP.NET MVC routing with a plus symbol
Trying to iterate and sort items into a tree view within MVC
asp.net mvc ajax.beginform being sent as html.beginform
How implement SqlDependency in ASP.NET MVC with Entity Framework
ASP.Net MVC - How to embed multiple video in a view
Update the value in a textbox with controller
Why does my remote attribute not working on register method and view?
How do I make a contact us form in a web application using mvc
Asp MVC SMPT mail Dynamic link not working
Escaping # in property value
ASP MVC Razor SelectList of nested items
MVC - script issues
Navigation property not getting filled on lazy loading
publish asp.net mvc web project

Categories

HOME
graph
auth0
spring-roo
parse.com
bolt-cms
fonts
middleware
fpdf
robot
visual-studio-2012
ibm-midrange
range
autofac
drag
intl
stm
telnet
doorkeeper
marketplace
w3.css
scrollbar
vscode-settings
plots.jl
jsqmessagesviewcontroller
atmelstudio
rational
jruby
cayley
montecarlo
selenium-edgedriver
addthis
text-parsing
file-manager
bluebird
lifecycle
pymssql
fipy
qweb
word-embedding
polymer-cli
mamp-pro
win2d
integer-programming
maven-jetty-plugin
kendo-chart
recurrence
tastypie
jeditorpane
ipmi
cabal-install
atmosphere.js
topojson
file-management
webdeploy-3.5
rras
jca
pddl
lidar
pypdf
linqtocsv
document-ready
post-processor
delphi-10-seattle
push-api
cocoon-gem
appv
oboe.js
protected
equinox
iphone-5
xerces
gevent-socketio
omap
adserver
gdk
symfony-2.5
lwuit-list
notifydatasetchanged
eventmachine
twill
data-quality
angularjs-google-maps
lightstreamer
preon
fay
data-dictionary
couchrest
pligg
glulookat
hresult
qdebug
impdp
northwind
wescheme
blackberry-cascades
applaud
timestamp-with-timezone
guvnor
graphiti-js
data-oriented-design
directoryentry
pong
winamp
keylogger
custom-protocol
iequalitycomparer
run-length-encoding
eclipse-tptp
web-based
ants

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App