I am using a stateless design for a MVC5 Web API 2, ASP.NET application.
User roles are created by administrators by selecting permissions. Each user in the application is assigned a custom user role, one role may be shared amongst users.
Razor views are structured based on the permission in the users role. MVC and API controllers are available depending on the permissions in the users role.
For each request to the server, the users permissions need to be processed. I can think of 2 ways to do this:
Which of these would be the better option?
Option 1 is a lot slower than option 2. Is there a security risk of storing the permissions in the cookie? Is there a better or alternative solution which is quick and secure.
Storing permissions and other sensible data inside a cookie is always a very bad idea as it's quite easy to manipulate them. Trusting cookies requires an additional server-side check which defeats the purpose of storing it inside a cookie.
You're way better off only trusting the data that is under your control, aka the data in your database(s).
Depending on your application it might be useful to lazily evaluate permissions only when you really need to access them if the performance hit is too big. Keep in mind that you can make use of things like Redis to improve performance dramatically.
So again, depending on your application I'd probably go for option 1 as it's the more secure way.