Asp.Net mvc authentication, where do I put a custom session key?

Question

I have a user database, to which I have access trough a web service. One of the web service method is something like this:

public void login(string name, string password, out user_key)

and in my controller I want to do something like this:

String key = repo.login(username, password); // a wraper on the login method
if(key ....)
    FormsAuthentication.SetAuthCookie(username, false);

And my questions, here they come: This key is used for retrieving specific user data. Where do I put the key, so that I can have access to it? I mean is there a method for the FormsAuthentication class, because saying something like: Session["key"] = key doesn't look like a good practice to me. And what is the good practice here? so that bad-guys won't hack my session.

Answer 1

Don't quite understand what do you mean by

Session["key"] = key doesn't look like a good practice to me

I've been using something like Controller.HttpContext.Session for the longest period of time and don't feel slightest guilt at all.

If you want to worry about being hacked, then you should make sure that your GET parameter are properly sanitized before they are passed into database. That's important.

Answer 2

Sessions are separated from the authentication cookie in ASP.NET, so in order to take over a session the attacker would have to replicate both the authentication cookie and the session cookie.

You can write user information as part of the authentication ticket by using one of the constructors which accept userData before generating it and then reading it via the UserData property. Be aware though if this user key is sensitive then you may want to encrypt the authentication cookie. This is the default in ASP.NET but it's worth being specific and putting

<forms protection="All" >

into your web.config