3

I am planning to have a multi tenant application in Azure where data isolation is achieved via schema separation.

I am planning to use subdomain to identify the tenant. Idea is to get the tenant name from the sub-domain, get the user-id and password from the login page and validate the uid, pwd & tenant id for the authentication. If authenticated, all the calls to SPROCS from the application needs to be directed to the schema (same name as the tenant).

However, i dont want to store tenant wise connection string in the web.config file. 1 option i can think of is, store the schema name and password in a table that is acceptable from the login page, and create the tenant specific connection string (with its UID and Password) and store it in session. Use this connection string while initializing any Stored Procedure.

However, i am not keen on storing uid and password of the schema in session. Is there any other way to manage this scenario?

Improve this question
5
  • What is your concern specifically with storing connection strings in Session?
    – Herve Roggero
    Commented May 28, 2013 at 12:54
  • My concern in storing connection string in session is that sessions will be stored in my cookie which will reside on my client browser and if there is a man in middle attack where my session is compromised, the username and password from the connection string will be made available.
    – iomca4u
    Commented May 28, 2013 at 13:42
  • 1
    Wow, don't make cookies the store for your "session". Out of interest, have you looked at other stores for your session? e.g. Stores like table storage or app fabric storage - both of these would only use an identifying cookie (ASP.NET_SessionId) that the server uses to lookup your session data from wherever you store session data.
    – alergy
    Commented May 28, 2013 at 15:22
  • You certainly could store your session elsewhere, such as SQL Database, or even the Azure Cache for example, in addition to Alergy's recommendations. That's what I would do.
    – Herve Roggero
    Commented May 28, 2013 at 16:27
  • i am making my sessions stored in azure web role distributed cache memory. this helps me to scale the memory as required and since its distributed, i dont have to worry about serialization. And for the password being present in session variable, what i have thought of is putting the same in an encrypted form and decripting it while reading it in my code. so, even if the same is haked - the password / uid are encrypted.
    – iomca4u
    Commented May 29, 2013 at 0:44

1 Answer 1

Reset to default
3

There is no security harm to store connection string in session, as session values are not stored in Cookie. Only Session ID will be stored in cookie, and each values of session stored in server along with the Session ID.

But the connection string is common for group of users who access the application, in your case tenant. So storing in session will use more memory. Always try to use Context Approach, for example your Data Layer code will refer connection string as follows

String con=AppContext.Current.ConnectionString;

Above AppContext class will have actual logic to retrieve the connection string based on type of the host, such as worker role, web role, unit test etc..

•You can store the connection string in web.config, and key can be prefixed with sub domain value Example: Subdomain1_connection =connection string

•You can store them in a data base if you have central DB where all the tenants information stored

•If you don’t have such DB, you can create Azure table to store tenant information

I always have two context variables in any multi-tenant application, AppContext and UserContext, this two contexts provides appropriate data. So my unit test don’t bother about sessions, the context will deliver the values from static dictionary OR session OR database OR Azure table based on where my app is running.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.