Hi, I am currently developing an application that requries a public website in addition to the application. The intention is to create a "public" user and create a "public" role that is assigned privileges to certain pages that will only be used for the public website. When a user comes to the website they will be automatically logged on using the public user, and therefore we can use all existing layouts and functionality of ASPN0 without having to have a separate website.
Some concerns I have with this approach are:
- Security - does this approach expose any security vulnerabilities; the user will be assigned a "public" role and limited privileges in the application to only view pages that are intended to be public;
- Performance - obviously there will be overheads to logging in automatically; do you think this will be significant with more traffic over time?
- Experience - currently the experience is showing the login screen very briefly before logging the user in; are there any other ways to log the user in without showing the screen (even for a split second).
Appreciate people's ideas on this approach to the public webiste, rather than maintaining a separate website which the look and feel may be different and difficult to keep aligned.
- Properly empowered to avoid security issues (the purpose of permissions is to protect the application)
- Automatic login will not have too much impact on performance.
- You can log in directly in the method without providing a login page for the user to enter the username and password.