tags:

views:

78

answers:

3

I am writing a login page for my site. I was thinking, would generating a random 64bit number and store it in the DB along with a httpOnly cookie be a good way to store the data? then every time a user receives a page (theres a toolbar which says how many new msg he has) to check if the random cookie matches the random cookie + userId in the database.

Is this fine?

BTW using C# ASP.NET

A: 

Sounds reasonable to me, provided you have a safe source for the random numbers. Bad (i.e. predictable) random generators are a big security risk.

ammoQ
A: 

Perhaps ASP.NET Profiles would help you out. Check out the SqlProfileProvider definition for using a pre-existing Profile Provider. And if your database happens to be something else you could always implement your own.

statenjason
+1  A: 

I recommend using a GUID rather than a random 64 bit number. A GUID is, for all practical purposes, guaranteed to be unique.

As for the security logic you are trying to implement, I can't comment on whether it will work if and only if you employ this pattern as more information is required in the question.

AdamRalph
The random 64bits is a session or login id. If a user forges his cookies to use someone else's userID (or GUID) the web logic will check to random loginId to see if it matches. If not its forged. It also allows no cookie expiration date and simple invalidates logins by clicking logout or signing in from elsewhere (causing a new random/login Id).
acidzombie24
Ditto for using a GUID
Phil
@acidzombie - I have edited my response accordingly
AdamRalph