Asp.net core id requirements vs properties (efficiency point of view)
I have read all the tutorials and questions asked on the topic but they contradict each other
(usernames and roles) are serialized to a cookie (along with custom custom id properties that you define overriding the factory principle), but they are not requested, they are stored in a cookie, which means the more requirements the user has, the more data will have to be done both ways between the server and the browser
custom property custom id by default does not get serialized but is queried from the database, so every time you need this data, it queries it from the database , which works more on the database on a per-query basis if you query it frequently
which is more efficient and safer
eg
IsAdmin supposed to be a role / claim? but if someone steals the cookie, nah nah, the cookie already contains the user id / username / securitystamp, so even if this is a property, the user id in the stolen cookie will ask for a custom user id property or is there something to prevent this cookie from work when stolen?
another instance
if i have property 20 for a user (first name, last name, address 1, address 2, zip code, anyway) i should just ask the user to wait a bit for the slower cookie to send back and forth, or should i do all the work from db using custom user id
but then if I remove or add a requirement to the user, will it be updated in the next request if it is not prompted or the security mark confirms that this cookie is still valid?
calls in the Task AddClaimsAsync
custom store efcore, it only adds a requirement to the dbset
I'm sorry, I know these are a lot of questions to ask, but the resources on the subject are not that good and it can be easy to get lost after reading the identity source.
source to share
The rule of thumb - put frequently added items as a claim, everything else can live in the database and be requested on demand. That is, address 1, address 2 cannot be required for every request, so store them in the database.
On the other hand, IsAdmin
(there must be a role anyway) I can imagine will be checked on every request, so it should be in the cookie without db request.
If you are afraid that your cookies have been stolen, do not show them to anyone! configure SecurityStampValidator
to do frequent checks - like every 5 minutes. This basically updates the cookie with the latest information from your database and changes the cookie. Therefore, even if the cookie is stolen, it will only work for 5 minutes.
source to share
I don't think these two statements contradict, it depends on your configuration. The second operator mentions "default".
You don't need to store all the information in the claims, and you don't need all the information all the time. If you want to receive profile information, call the server once and store the information on the client or retrieve it when needed.
The same goes for authorization if you want to show / hide items based on permissions. This may include a tag called "IsAdmin". Authorization must be kept next to the resource.
If your client wants to update information, just call the server. Claims are not updated for every request. In general, the user should log out and log back in. Thus, claims are not flexible and therefore not suitable for properties that may change (often).
As far as security is concerned, it doesn't really matter that the customer can change the information, it is only for display. It doesn't change the permissions in the backend.
You can add something like a display name to the properties, if you show it on every page. You may also consider implementing caching to limit database calls. In the end it really depends on your requirements.
As for the stolen cookie, you will need to implement additional security on your server to detect suspicious behavior. You might want to include the ip address as a requirement. As far as administrator goes, add security eg. filter by IP address and / or use an additional code that was sent by email.
source to share