choose between asp identity claims and sessions data

Josh picture Josh · Feb 5, 2016 · Viewed 7.8k times · Source

I am trying to make a choice between storing user specific data in my MVC application either as identity claims or as session data to reduce the number and frequency of database round trips on requests. However, considering performance, security and other best practice considerations, I don't know which route to go.

I will appreciate any suggestions on this.

Answer

rawel picture rawel · Feb 8, 2016

How you store user data for your app is very much dependent on the application itself. But as a guide, using claims-based authentication and store the claims in a session cookie is a very common approach. Have a look at asp.net identity - http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity

You should be able to optimize the data stored in the session cookie. For example: - if your application always needs to display the name of the user on every page you can have the name claim in the session cookie. But if you need to display other user information like address, company etc... in only one 'user profile' page, you can query those details in a database using 'nameidentifier' claim stored in the session cookie. If you look into the ASPNET-identity you will see that you will not need to work with session cookie directly as cookie authentication middleware make sure the claims are available via User property(or ClaimsPrinciple.Current) of MVC controller. You should decide what claims should be available to all requests via User property and What user properties should be queried through some userInformation database. Of course, you should store the key(nameidentifier or email) to userInformation database in the claims, So that you can query database anytime you wish.