I am currently developing a ASP.NET MVC4 website, and I would like to know whats the best practices storing the logged-on user's data (include privileges) and authorize the user securely, being able to access this data in both my views and controllers.
One thing to important mention - I am NOT using the Membership class (I've saw that its an overhead for me to use it, and I would like to implement the exact things I need and learn from the process).
The only way I thought to do it is storing all the data inside the session object, and having a wrapper to the session object (static class) and use it like SessionManager.IsLoggedIn(), SessionManager.GetUserPriviliges() or simply creating a method that returns hard-typed UserSessionData SessionManager.GetSessionData() that contains all the data required.
This is one way to use it in both controllers and views. Shall I derive from Controller and create a RolesController which stores UserSessionData so I won't need to call it again and again in my controllers?
I guess I won't be able to use the common AuthorizedAttribute so I will have to implement it by using the session wrapper (Is it safe to use only the session data? since I am not using the 'official' authorization method and therefore I don't really know how it should be implemented).
As you see, I have an idea but since its my first time doing it I would like to learn about the best practices and the way it should be done correctly. I will be thankful if you will explain your answers since I want to get the complete idea and I haven't done it before in MVC.
Thanks in advance!