Forms Authentication cross Windows Authentication

Question

I have a website that I am working on that has both an intranet and internet deployment. The only difference between the 2 is a couple of config settings.

The intern

Answer 1

Avoid the session object for this. Application_AuthenticateRequest is where you want to be. In there, you can take the WindowsPrincipal, and then go to the database to populate your own custom IPrincipal-implementing object. This means that Application_AuthenticateRequest gets called a lot, though, so in my apps, I tend to cache the role data for at least a few seconds to cut down on database round trips. This also works with Forms authentication. The only difference between the two methods is that in the Forms scenario, you get a GenericPrincipal from the Forms auth module, and you'd use that to retrieve your own custom principal object instead of the WindowsPrincipal.

Another upshot of setting HttpContext.Current.User in Application_AuthenticateRequest is that, unlike if you put your principal in the Session object, you can use declarative security, such as decorating your methods with PrincipalPermissionAttribute.