Session state in IAuthorizationService

Nov 18, 2008 at 6:07 AM
Edited Nov 18, 2008 at 3:36 PM
Hi,

In my application, I'm implementing my own IAuthorizationService to lookup the user's access rights in a database and perform authorization accordingly.

Because of the multiple times that the IsAuthorized is called (and consequently the database, resulting in slow page loads), I'm looking into storing values in the session state after retreival from the database.  However, session state is not available when IAuthorizationService is called.

Anyone has any suggestions to how this can be done?  Currently I'm implementing my own WebClientAuthorizationModule.   I swapped in a IRequiresSessionState handler on the PostMapRequestHandler event, and I handle the authorization at AcquireRequestState event of the HttpApplication instead of the AuthorizeRequest event (as session state is not available at AuthorizeRequest).  Not sure if there is a better way, or if there will be any problems with the way I'm doing it at the moment, hence want to seek some opinions here.

regards,
Joseph

Edit:  Actually, I did abit of read up, and it seems that ASP.NET is designed this way to prevent user information from being stored in session.  Now I'm really wondering if what I'm doing is proper
Nov 19, 2008 at 9:15 PM
In Enterprise Library, there is a cache block. Only a few lines of code plus configuration.

Chester