asp.net mvc session and membership authentication

New to MVC, worked a lot with asp.net but never used the built in membership , authentication, authorization stuff before.

I have 2 questions:

1. In the asp.net days i would store the logged in user details (username, first & last name, email) in a session (using a custom class) and just checked that the session["UserDetails"] !=null in each secure page, can i s开发者_如何学Gotill do that in MVC? (why i'm not doing it with the built in stuff? - move question #2)

2. In my DB i've got a Authors table (with user & pass) which is connected to 20 other tables andi've got a users table (with user & pass) that connects to 1 or 2 tables. Say i want to use the built in stuff how can i use to validate the author login and the users login with the same membership provider? and how will i know which is currently logged in the user or the author when calling User.Identity.IsAuthenticated?

Thanks everyone!

Question 1:

In your controllers you would be using HttpContext.User to get the current IPrincipal for the user making the request. To secure an action (or an entire controller) just decorate it with the [Authorize] attribute. Read about the authorize attribute here http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx

Question 2:

Here you have two options, extend the profile provider to manage that extra data or loose a bit of referential integrity and just use the app services db for authorization and keep and have an UserId field in each entity related to a user and build your user and related entities collection in the your data access layer. I always use the 2nd one.

1. you were not supposed to do that in regular asp.net. What you were supposed to was use forms authentication to emit a signed ticket, which in 2.0+ could have been with the membership provider. The earlier is pretty much flexible, so before reading #2 there was already no reason not to use it ;). But yes, you could still do that, and no there is no other different suggested way of handling it in asp.net MVC.
2. you can either put the extra data in the ticket or use a convention appending something to the username in the ticket, and then when receiving a cookie you can replace the context's IPrincipal with a custom principal.