I am implementing a custom HTTPModule to provide authentication/authorization by reading credentials off a smartcard's certificate. The HTTPModule creates a custom implementation of the IPrincipal interface and assigns it to the Context's User object.
The custom principal object looks like this:
public class SmartCardPrincipal : IPrincipal
private SmartCardIdentity _identity;
private Hashtable _roles;
private bool _rolesLoaded;
public IIdentity Identity
public bool IsInRole(string role)
_roles = new Hashtable();
//Query SQL Server Database for User's Roles, based on user's email address contained in SmartCardIdentity (read off user's SmartCard)
[ Database Code ]
_rolesLoaded = true;
public SmartCardPrincipal(SmartCardIdentity identity)
this._identity = identity;
this._rolesLoaded = false;
SmartCardIdentity is a custom implementation of IIdentity interface and contains the email address and name read off the user's SmartCard.
The problem I am having is the Context's User object is set to null on every postback. So the hashtable of roles is destroyed along with the whole principal object. So the database is being queried for the user's roles every time something is selected in a listbox or a button is pressed. This seems way too inefficient.
Is there any way for the asp.net website to remember the user's custom principal object between postbacks ? Can it be stored in a session variable ? I am thinking for forms authentication, the membership database is queried only once for a user and then the info is stored in a cookie. But I don't want to create a custom cookie.
-- Edit: I did some testing it seems the session object is null in the HTTPModule, so doesn't look like session variable can be used. Any other way ?