From: http://www.cnblogs.com/zhouxunyu/p/3790122.html
Analysis: Different users who log on to the system give different permissions to the operation, and the user exists in the database, the field that identifies the user's permissions
Also saved in the user table in the database.
Problem: The field that identifies the user right is removed from the database to save it in the running program.
Scenario One: Create a user class that encapsulates the information queried from the user table into the class, and the user instantiates the class to get the permission field.
Analysis: The solution is feasible, the disadvantage is: when the system deployment after the release of online access to a large number of users, each instantiation of the user class will be many, the server load will be very large.
If this solution is applied to C/s architecture, I personally think that is the most convenient and the best.
Scenario Two: The information that is queried from the user table, especially the field information that identifies the user's permissions, is saved to the session.
Analysis: The solution depends on the feasibility. The disadvantage is: the session has a timeout mechanism, one but the session timeout this operation will error. Session Timeout Solution: session.time=12000; or configure in configuration file
1 <Configuration>2 3 <system.web>4 5 <sessionstate6 7 Mode= "InProc"8 9 cookieless= "true"Ten One Timeout= "+" /> A - </system.web> - the </Configuration>
If the session never times out, then on the page virtual a no content ifram or buttons, etc., timed to refresh it, the session will never time out. However, it is best not to do that, crawl timeouts, and let users log back in best.
Scenario Three: The information that is queried from the user table, especially the field information that identifies the user's permissions, is saved to the cookie.
Analysis: This solution seems to work as well. The disadvantage is that there are outdated mechanisms for cookies, and there is a cookie conflict if the same computer logs on to multiple users.
Solve the cookie conflict problem: The use of key-value pairs, the ID as a key, the ID in the database is always unique, so it is easy to solve the cookie conflict problem, but in the permission settings is best not cookie,cookie there is a risk, the entire application is not secure. If the user changes the local cookie value then the permission corresponds to the change, it is not recommended.