Session vs Cookie vs Custom IPrincipal

Question

Hi Guys,

I'm working on a project where certain logged in users have a dedicated page which they can choose the url of. When a user logins in i would like to display a link "View my page". I was just wondering what is the best way to store this baring in mind it needs to be accessible for as long as the user is logged in (The site has a remember me feature as well). Would a session variable surfice? or a cookie? Or a custom IPrincipal?

Many thanks

Matt

UPDATE:

What do you guys thing of using the UserData string you can store with the authentication cookie? It seems to satisfy my requirements, but i can't say I know a lot about it.

Answer 1

If what you mean is that you want to display a different custom URL for each user and you simply want to cache that URL then there's a few things to consider:

1. If you use a session value or a cookie then you need code for the possibility of the value not being present. Both the server session or the browser session could expire and the user could still be logged in.

2. If you use a cookie you could consider setting the cookie expiry to the same as the authentication cookie expiry but this still doesn't guarantee availability.

3. A cookie value will not be secure, it could be modified. A session value will be secure.

4. If you're using custom forms authentication then you could store the URL in the authentication cookie itself and then load it into a custom IPrincipal. I would advise against that as I don't feel it's the right place.

If you're just trying to cache the URL then as long as your code re-fetches the data when the value is not present then a session value or a cookie will be fine depending on the level of security required.

If I have read that wrong and you just want to show/hide a link to depending on whether a user is authorized or not you can simple use

<% if (User.Identity.IsAuthenticated) { %>
  <a href="/MyPage">view my page</a>
<% } %>

And have your MyPage action in your controller render the dedicated page for the user.

Answer 2

Forms authentication (based on cookie) should be enough. Here you can read about using FormsAuthentication with custom IPrincipal:

ASP.NET 2.0 Forms authentication - Keeping it customized yet simple

This page is about how forms authentication works:

Explained: Forms Authentication in ASP.NET 2.0

When you use forms authentication, you have Authorize attribute to limit access to controllers and action. It works pretty well. Your own IPrincipal is not necessary. I wouldn't use Session, because it can be easily lost.

Answer 3

Thanks guys, however I have ended up using the UserData string that you can store along with the authentication cookie. This way I know the data will always be available while the user is authenticated. And since I only need to remember simple data (the users url), this seems like a good solution.

Anybody with the same problem can find more info here:

http://www.asp.net/learn/security/tutorial-03-cs.aspx (See step 4)