I am developing an application that will support several departments in our organization, and want to define what data is accessible by AD Groups a user is in.
My question is, is it more cost effective resource wise (bandwidth, time slices, etc) to use an IsUserInRole() call at each decision point or to load several Session[] variables at user login which are Boolean and use those throughout my code?
Thoughts?
I would avoid Sessions. They make scaling an application harder since you need a centralized store (a Database or Redis), while will be hit at every single request. It slows down the process since you have to wait for the request to complete before going on with the actual business logic.
The answer for this is using JWT tokens. They work very well for small amount of data (like a limited amount of roles, not hundreds of them). JWT tokens can safely be put inside a cookie so every browser request carry it to the server.
You may get more information about JWT tokens here: https://jwt.io/introduction/. This other StackOverflow question has a lot of information about JWT tokens: Using JWT to implement Authentication on Asp.net web API.
I hope it solves your issues. Good luck.