Does UserId data type affect FormsAuthentication.SetAuthCookie(UserId.ToString(), false)? | ansaurus

tags:

views:

90

answers:

1

Q:

Does UserId data type affect FormsAuthentication.SetAuthCookie(UserId.ToString(), false)?

Does the original data type of the username string in a call to FormsAuthentication.SetAuthCookie(...) make any difference with regards to security or code maintainability?

As I understand it, the cookie is encrypted and used to identify a user on each request. I'm curious whether it should affect the design of the primary key on my Users table in my database, eg. Guid vs int or a unique username string.

+4 A:

FormsAuthentication.SetAuthCookie has no knowledge of your key. It expects a Username, which is the lingua franca for most all interop between the ASP.Net providers.

So, No, your key could be a 10mb blob and you would still pass the Username, which is typically a human readable string, to FormsAuthentication.SetAuthCookie.

What I am getting at is that the UserId is not stored in the auth ticket so the data type or size of the UserId has no effect on the auth ticket cookie.

Sky Sanders 2010-04-20 05:15:01

+1 for `your key could be a 10mb blob` :-)

Darin Dimitrov 2010-04-20 05:16:29

Thanks for your answer, Sky. If the UserId is not stored in the cookie, then I presume the ticket must contain it somewhere, but then where is the ticket containing the UserId stored? I use Guid UserId = new Guid(System.Web.HttpContext.Current.User.Identity.Name); - don't know if it's best practice.

FreshCode 2010-04-20 11:04:53

@freshcode - ticket==cookie. same thing. The UserId is not passed or stored in ANY cookie. The UserName is stored in the cookie. This is the 'natural key', and is used to get the user when necessary, where the UserId, which is a surrogate key can be found.

Sky Sanders 2010-04-23 18:10:04

related questions

ASP.NET Membership: Login Controls Source Code

ASP.NET Login to a Website with Forms Authentication vs None

Avoid losing PostBack user input after Auth Session has timed out in ASP.NET

ASP.NET Login Page Styles

What is the purpose/meaning of the Version property on a FormsAuthenticationTicket?

.NET forms authentication cookie not accessible in another application

How to change FormsCookieName at runtime in ASP.NET

How to get current user in Asp.Net MVC

Can't set FormsAuthenicationTicket.UserData in cookieless mode.

How do you implement a "Logout" link using ASP.NET MVC?

Examples of asp.net mvc and authentication

Login.aspx always wants to be my home page!

In ASP.Net, can we create an application with its own Web.Config and Forms Authentication section inside another application using Forms Authentication?

How secure is basic forms authentication in asp.net?

Inheriting a base class

FormsAuthentication selective to url

What is the best workaround for the ASP.NET forms authentication timeout problem when using wildcard mapping?

Context.User losing Roles after being assigned in Global.asax.Application_AuthenticateRequest

How do I logout of multiple asp.net applications?

[ASP.NET] Conditional Redirect on Login

Bypass Forms Authentication auto redirect to login, How to?

How do I filter nodes of TreeView and Menu controls with sitemap data sources based on user permissions?

How do I best handle role based permissions using Forms Authentication on my ASP.NET web application?

How do I keep my Login.aspx page's ReturnUrl parameter from overriding my ASP.NET Login control's DestinationPageUrl property?

How do I use ASP.NET Login Controls when my Login.aspx is not at the root of my application?