ASP.Net Store User Data in Auth Cookie

views:

1192

answers:

+4 Q:

ASP.Net Store User Data in Auth Cookie

Hi,

I want to store some data like the user nickname and user ID (table primary key) in the user data section of the auth cookie. The reason I'm doing this is to retain this data when the browser is closed, without having the user relogin.

Edit: Whoops! Realized I'd not explained myself well. I am not trying to reauthenticate a user based on their cookie. The user is already authenticated by ASP.Net's membership system - this part is fine. My problem is that if I want to show the user's nickname, for example, I have to fire off another SQL query, and then store it in the session. I figured it would make sense to store this information in the auth cookie (again, the one already created by ASP.Net) in the UserData section, which seems to have been created for this purpose.

I don't want to use profiles because I have my own user table with profile data, and I needed a lightweight solution.

What is a good way to encode this data in the user data section of the auth cookie? I was thinking serialization, but that might be overkill. Am I going about this the wrong way?

Maybe you could just create another cookie... I personally wouldn't mess with the auth cookie.

Eric Nicholson 2009-07-01 17:41:38

Actually I AM generating a new auth cookie. I can go ahead and store a simple text string in the UserData section of the new cookie. My question is about serializing more complex objects.

Wild Thing 2009-07-01 17:54:16

I meant a cookie in addition to the auth cookie. Leave the auth cookie alone and create a new unencrypted cookie for the temporary user data.

Eric Nicholson 2009-07-01 20:20:38

Nah, I would be storing the User ID and Nickname - wouldn't want to store such sensitive data without encryption

Wild Thing 2009-07-02 15:09:48

+1 A:

Yes. If you are storing the User ID and Login in the cookie what's stopping someone from changing their cookies to anyone's User ID and Login?

You need to set up an auth ticket system. Basically it's a cookie value that gets checked when no session exists. If a value is present you run that against a ticket table which should contain their User ID. If you find the ticket, give them a session and a new ticket.

Spencer Ruport 2009-07-01 17:42:37

Hmm...I'm sure ASP.Net is already reisuing a new ticket when a user reauthenticates browser based on their auth cookie. However, I believe that you're also suggesting that even the encrypted User ID stored in the user data might be substituted by the malicious user's own encrypted data stored in his auth cookie? But then I'm not sure I follow the point of the userdata section in the auth cookie at all!

Wild Thing 2009-07-01 18:03:28

+1 A:

If you've already got a user table with profile information in it, why don't you hook into it with a custom profile provider.

If you want another example of how to implement something like this, you could take a look at the SQL Table Profile Provider

Zhaph - Ben Duguid 2009-07-01 21:03:33

+4 A:

Apparently I was on the right track: http://www.asp.net/learn/security/tutorial-03-vb.aspx (Step 4: Step 4: Storing Additional User Data in the Ticket)

Wild Thing 2009-07-03 17:38:57

ansaurus

tags:

views:

answers:

ASP.Net Store User Data in Auth Cookie

related questions