Handling different types of users in asp.net mvc

I have 3 different types of users (with different roles) interacting on my web application, they all perform some task - some can be exactly the same e.g. create a quote others can be unique to that specific user e.g. sign off quote.

For more clarity 3 types of users: Client, Supplier, Customer.

Client or Customer can create a quote, however only the Customer can sign off a quote.

How do I ensure my application allows clients to access client speficic controllers and suppliers to access supplier specific controllers or areas. Via Custom Attributes? Do I store the type of user inside a cookie? Is this safe? or Session state? As soon as someone logs onto the system I send back a LoggedOnDTO object on which I store Username, UserID, and type of user....

NOTE: I went away from asp.net build in way of creating users, I have my own custom tables with my custom mechanism for logging into the system. I have a registered Model Bindiner that looks for the prefix and I send in a strongly typed object to each action...

Sample code:

[HttpGet]
public ActionResult AddComment(int quoteid, ClientUserDTO loggedonclientuser)
{

}

[HttpGet]
public ActionResult AddCommentSu开发者_C百科pplier(int quoteid, Supplier loggedonsuppluser)
{

}

EDIT: This method for some reason seems so much simpler... Is there something wrong with it? Any possible security issues? Threading?

My session controller is:

if (_authService.isValidUser(model))
{
   var data = _authService.GetAuthenticationCookieDetails(model);
   AuthenticateCookie.AddDetailsToCookie(data);
   return Redirect(Url.Action("Index", "Activity"));
}

When I create my cookie... I can simple store "ClientUser", "Supplier" or whatever role they are inside the cookie.

Then I can create an Attribute and read in the cookie data to see if they are a valid user e.g.

public class ClientAuthorizationAttribute : AuthorizeAttribute
    {
        public bool AlwaysAllowLocalRequests = false;
        protected override bool AuthorizeCore(System.Web.HttpContextBase httpContext)
        {
            if (AlwaysAllowLocalRequests && httpContext.Request.IsLocal)
            {
                bool authorized = false;
                var result = UserDetails.GetTypeFromTicket(httpContext.User.Identity as FormsIdentity);

                if (result.Equals("client", StringComparison.OrdinalIgnoreCase))
                {
                    authorized = true;
                }
                //throw no access exception?
                return authorized;
            }
            return base.AuthorizeCore(httpContext);
        }
    }

Register the attribute under my base controller and I have a simple working solution???

Write a custom MembershipProvider and a Custom RoleProvider then you can decorate your controler class or specific methods with the attribute

<Authorize(Roles:="ROLENAME")>

You can learn how to make that your asp mvc use the custom membershiprovider in this question It's really easy.

Edited: The way you did it looks right, but I think you take the long way. Implementing your own MembershipProvider and your own Roleprovider will take you no more than 20 minutes... and you will have the benefits of being working with a well tested and documented system and still having the benefits of use your own database tables for the login. In a simple login system, you only have to write two functions in the roleprovider (GetRolesForUser and IsUserInRole) and only one function in the membershipprovider (ValidateUser) and you will get your system working.

If you want, I can put somewhere (maybe pastebin) a well commented versión of a membershipProvider as well of a roleprovider that i'm using in a simple app (they're made in vb.net but i'm sure it will not be a problem)

You can also write generic code in the base controller instead of decorating each action with Authorize attribute. Please refer below url.

Good practice to do common authorization in a custom controller factory? custom-controller-factory/5361846#5361846