Keeping user's Information in Custom membership & role provider in MVC 4 ASP.NET

Question

I am using to Implement Custom membership provider and role provider for authinticating purpose in Asp.net MVC 4.

I followed this blog .

This app is very big app and very sensitive.I am not using builtin Authentication of MVC,I want to implement my own database schema.

I need to provide different privileges on different pages for same users. For example, The same user could be an administrator on one page and a guest on another,Some users may have read/write role while other have read only etc etc..For this purpose i need to keep user's information like username,userid,user_role & some other profile information and to check them on each click and each page on website.

My providers are working properly,I just have these questions.

What is the best way(in term of security & CPU processing) to keep these information with me & then check/compare them

1. Keep in session and check everywhere?
2. Keep in cookie and check everywhere?
3. Do not need to save/keep,on page load get from db and decide on that time?
4. Is there any other whay to do so?
5. In MVC where do i need to have this check,either this user is authinticated to read this apage/section ot not?(In Index action of each Controller?)

Answer 1

1. In MVC you check for all actions, not just Index(). An attacker can reach out for any action in any order.
2. The session can be lost at any time if the server restarts the worker process.
3. Putting sensitive info in a cookie is hazardous at best. You need to make the information tamper proof.
4. Reloading roles from the data store at each request is pretty much how the existing role provider does it.
5. You should really consider writing a cuatom MembershipProvider and RoleProvider and then simply use the normal [Authorize()] directives on the controller actions. That way your application is easier to manage in the future.

Answer 2

Don't baffle yourself with this deep questions. All the things you need are prepared by Microsoft Membership providers. You need no more than storing user data and roles assigned to them based on your scenario. Since we have 2 membership providers named Katana and Owin during Asp.net MVC progress time. But if you wanna implement your own membership provider, the problem differs, looking at the following links may be useful:

1. How to configure Custom Membership and Role Provider using ASP.NET MVC4
2. Custom Membership and Role provider in ASP.NET MVC 4
3. How do I create a custom membership provider for ASP.NET MVC 2?
4. How to configure Custom Membership Provider using ASP.NET MVC4 with external login like facebook, yahoo , google or other relying party accounts.