tags:

views:

1182

answers:

3
+1  Q: 

User authentication without Session state in ASP.NET

One of the requirements proposed for an ASP.NET application is that we have Session state disabled globally. (This is not negotiable.)

Another requirement is that we have some means for user authentication. I'm thinking of using ASP.NET's membership provider model.

Is it possible to have user authentication without Session State?

The specific user-authentication examples we're looking for are:

  • User goes to website unauthenticated
  • User enters registration information (contact fields, etc)
  • For the remainder of their session, user has access to certain content thanks to their registered status

Is there a way to do this with cookies?

Can this be done securely, so the cookie can not be easily spoofed?

Is there built-in functionality in ASP.NET to support this, or will we need to roll our own method?

+5  A: 

ASP.NET Forms authentication does not use SessionState. It uses a cookie to store the authentication ticket.

You can also force the authentication ticket to be sent over SSL channel by editing the web.config file.

All the functionality you need is available built-in in ASP.NET.

http://msdn.microsoft.com/en-us/library/aa480476.aspx

Mehrdad Afshari  2009-04-03 23:30:11
Great... looks like I need validationKey and decryptionKey need to be identical on all servers on the web farm for this to work.
frankadelic  2009-04-04 00:00:00
if you are on a Web farm, yes.
Mehrdad Afshari  2009-04-04 07:48:57
A: 

Yes, you can use cookies.

The problem with cookies, is you can't persist much data to them. For wizard type registration I store the data in the database and then store the row key/Id in an encrypted cookie. This way when the user moves to the next step you can retrieve the data from the database.

For cookies, you can timestamp and encrypt the cookie values. I typically don't manage the user's authentication state. I use the built in FormsAuthentication classes manage that aspect of my web applications.

Large sites such as: Myspace and Live Search Club, solely rely on cookies as state management.

Chuck Conway  2009-04-03 23:36:57
+2  A: 

Sure, a cookie will do this.

Think of the fundamentals. Session State is managed by cookies anyway.

Here's what you do.

When they log in, you take their userid, and a timeout (so the login only lasts for, say, 30 minutes or whatever).

Take that string, and hash it.

(java, not important tho)

String cookie = userid + ":" + timeString + ":" + md5(userid + ":" + timeString + ":" + "secretpassword");

Then, when the request hits your site, check the cookie. First check it for integrity.

String parts[] = cookie.split(":");
String newHash = md5(parts[0] + ":" + parts[1] + ":" + "secret password");
if (!newHash.equals(parts[2])) {
    // boom, cheater!
}

Then check the time string to see if they're still "logged in", and go from there.

Make sure if you do the time thing to update the cookie on every request.

Will Hartung  2009-04-03 23:38:20
this is a pretty bad practice though, security wise. If secret password leaked once anyone can login into the app. And if it's weak it can be cracked (especially while MD5 is fading out). If you gonna do this way at least use a different random "secret" for every user. That'd be so much more safer.
dr. evil  2009-04-03 23:44:18
How would you manage a different key-per-user-per-authenticated-session?
Justice  2009-04-03 23:57:31
That's a key control issue, you have the same problem with any encryption. Don't like MD5, pick SHA. It's an example of technique.
Will Hartung  2009-04-04 00:30:34
@Justice - simply generate a random password for each user when you create them, and put it in their user record. Since you have the userid here, it's simple to look it up for each user.
Will Hartung  2009-04-04 00:31:56

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps