MVC - Store user permissions in session using NLB - Network Load Balancing

Asked

Viewed 226 times

2

We are developing an application (intranet) in MVC 4 where authentication is performed through Windows Authentication.

When the user enters the application, a call is made to a service that controls the permissions of the user in that module, where are recovered at this time all the screens and functionalities that the user can access.

At first, we are storing this user permission information in the session, because whenever an action is executed in the controller we have to validate if the user actually has permission to perform such a task.

The problem is that now we find that the production server will be configured with NLB (Load Balancing), IE, nothing guarantees that the next user requests will be made on the same server, which can invalidate the session of the same.

There are some settings that can be performed in NLB that address this issue of the session, but for what I’ve been reading is not very recommended because "break" the scalability of the application.

Does anyone know any other way where they could store this data or an alternative to this solution?

Thank you!

  • 1

    Do not use sessions for authentication when you need to load Alancer. Try some alternative approach, such as the database itself or cookie-based authentication.

  • Do you have any example of cookie-based authentication? The user is unable to manipulate the data as it is recorded in the client?

  • In fact the authentication is already done. I need to know how to persist this information me cookie securely.

  • Database.

  • You can take a look at my question http://answall.com/questions/139539/sistema-de-permiss%C3%B5es-em-Asp-net-mvc may be an alternative for you

1 answer

0

Whether it is really necessary to use sessions to preserve user permissions, you can use a Stateserver or a Sqlserver. The application configuration is done as follows:

Stateserver

<configuration>
  ...
  <system.web>
    ...
    <sessionState mode="StateServer"
      stateConnectionString="tcpip=Teste:42424"
      cookieless="false"
      timeout="20"/>
    ...
  </system.web>
  ...
</configuration>

Sqlserver

<configuration>
  ...
  <system.web>
    ...
    <sessionState mode="SQLServer"
      sqlConnectionString="Integrated Security=SSPI;data 
        source=TesteSqlServer;" />
    ...
  </system.web>
  ...
</configuration>

The steps to setting up a Stateserver are here.

If it is not necessary to use sessions, an authorization attribute can be a great alternative.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.