tags:

views:

83

answers:

2
+2  Q: 

How to store custom data in ASP.NET Membership Cookie

Can anyone give me an example (or point me in the right direction) on how to store custom data in an ASP.NET Membership cookie?

I need to add some custom properties like UserID and URLSlug to the cookie and be able to retrieve the information in the same way one would retrieve the Username.

Edit:

I used Code Poet's example and came up with the following.

When I set a breakpoint at Dim SerializedUser As String = SerializeUser(userData) the value of userData is right. It has all the properties I expect it to have.

The problem I'm now running into is that when I get to Dim userdata As String = authTicket.UserData (breakpoint), the value is "". I'd love to figure out what I'm doing wrong.

Here's the code.

Imports System
Imports System.Web
Imports System.Web.Security

Namespace Utilities.Authentication
    Public NotInheritable Class CustomAuthentication
        Private Sub New()
        End Sub

        Public Shared Function CreateAuthCookie(ByVal userName As String, ByVal userData As Domain.Models.UserSessionModel, ByVal persistent As Boolean) As HttpCookie

            Dim issued As DateTime = DateTime.Now
            ''# formsAuth does not expose timeout!? have to hack around the
            ''# spoiled parts and keep moving..
            Dim fooCookie As HttpCookie = FormsAuthentication.GetAuthCookie("foo", True)
            Dim formsTimeout As Integer = Convert.ToInt32((fooCookie.Expires - DateTime.Now).TotalMinutes)

            Dim expiration As DateTime = DateTime.Now.AddMinutes(formsTimeout)
            Dim cookiePath As String = FormsAuthentication.FormsCookiePath

            Dim SerializedUser As String = SerializeUser(userData)

            Dim ticket = New FormsAuthenticationTicket(0, userName, issued, expiration, True, SerializedUser, cookiePath)
            Return CreateAuthCookie(ticket, expiration, persistent)
        End Function

        Public Shared Function CreateAuthCookie(ByVal ticket As FormsAuthenticationTicket, ByVal expiration As DateTime, ByVal persistent As Boolean) As HttpCookie
            Dim creamyFilling As String = FormsAuthentication.Encrypt(ticket)
            Dim cookie = New HttpCookie(FormsAuthentication.FormsCookieName, creamyFilling) With { _
             .Domain = FormsAuthentication.CookieDomain, _
             .Path = FormsAuthentication.FormsCookiePath _
            }
            If persistent Then
                cookie.Expires = expiration
            End If

            Return cookie
        End Function


        Public Shared Function RetrieveAuthUser() As Domain.Models.UserSessionModel
            Dim cookieName As String = FormsAuthentication.FormsCookieName
            Dim authCookie As HttpCookie = HttpContext.Current.Request.Cookies(cookieName)
            Dim authTicket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value)
            Dim userdata As String = authTicket.UserData

            Dim usersessionmodel As New Domain.Models.UserSessionModel
            usersessionmodel = DeserializeUser(userdata)
            Return usersessionmodel
        End Function


        Private Shared Function SerializeUser(ByVal usersessionmodel As Domain.Models.UserSessionModel) As String
            Dim bf As New Runtime.Serialization.Formatters.Binary.BinaryFormatter()
            Dim mem As New IO.MemoryStream
            bf.Serialize(mem, usersessionmodel)
            Return Convert.ToBase64String(mem.ToArray())
        End Function

        Private Shared Function DeserializeUser(ByVal serializedusersessionmodel As String) As Domain.Models.UserSessionModel
            Dim bf As New Runtime.Serialization.Formatters.Binary.BinaryFormatter()
            Dim mem As New IO.MemoryStream(Convert.FromBase64String(serializedusersessionmodel))
            Return DirectCast(bf.Deserialize(mem), Domain.Models.UserSessionModel)
        End Function
    End Class
End Namespace

Here's where I create all the magic. This method is in a "BaseController" class that inherits System.Web.Mvc.Controller

Protected Overrides Function CreateActionInvoker() As System.Web.Mvc.IActionInvoker

            If User.Identity.IsAuthenticated Then ''# this if statement will eventually also check to make sure that the cookie actually exists.

                Dim sessionuser As Domain.Models.UserSessionModel = New Domain.Models.UserSessionModel(OpenIdService.GetOpenId(HttpContext.User.Identity.Name).User)
                HttpContext.Response.Cookies.Add(UrbanNow.Core.Utilities.Authentication.CustomAuthentication.CreateAuthCookie(HttpContext.User.Identity.Name, sessionuser, True))
            End If
End Function

And here's how I try and retrieve the info.

 Dim user As Domain.Models.UserSessionModel = CustomAuthentication.RetrieveAuthUser
+2  A: 

First of all ASP.Net Membership providers don't write any cookies, Authentication cookies are written by FormsAuthentication.

And secondly, why interfere into authentication cookie at all. You can do this in a seperate cookie altogether. Here's how you can do that.

Writing the keys-values into cookie.

//create a cookie
HttpCookie myCookie = new HttpCookie("myCookie");

//Add key-values in the cookie
myCookie.Values.Add("UserId", "your-UserId");
myCookie.Values.Add("UrlSlug", "your-UrlSlug");

//set cookie expiry date-time, if required. Made it to last for next 12 hours.
myCookie.Expires = DateTime.Now.AddHours(12);

//Most important, write the cookie to client.
Response.Cookies.Add(myCookie);

Reading the keys-values from cookie.

//Assuming user comes back after several hours. several < 12.
//Read the cookie from Request.
HttpCookie myCookie = Request.Cookies["myCookie"];
if (myCookie == null)
{
    //No cookie found or cookie expired.
    //Handle the situation here, Redirect the user or simply return;
}

//ok - cookie is found.
//Gracefully check if the cookie has the key-value as expected.
if (!string.IsNullOrEmpty(myCookie.Values["UserId"]))
{
    string UserId= myCookie.Values["UserId"].ToString();
    //Yes UserId is found. Mission accomplished.
}

if (!string.IsNullOrEmpty(myCookie.Values["UrlSlug"]))
{
    string UrlSlug = myCookie.Values["UrlSlug"].ToString();
    //Yes key2 is found. Mission accomplished.
}

If at all you need to disturb the authentication cookie, though not advisable, This is how you may do it.

Writing the keys-values into cookie.

//create a cookie
HttpCookie myCookie = FormsAuthentication.GetAuthCookie("UserName", true);

//Add key-values in the cookie
myCookie.Values.Add("UserId", "your-UserId");
myCookie.Values.Add("UrlSlug", "your-UrlSlug");

//set cookie expiry date-time, if required. Made it to last for next 12 hours.
myCookie.Expires = DateTime.Now.AddHours(12);

//Most important, write the cookie to client.
Response.Cookies.Add(myCookie);

Reading the keys-values from cookie.

//Assuming user comes back after several hours. several < 12.
//Read the cookie from Request.
HttpCookie myCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if (myCookie == null)
{
    //No cookie found or cookie expired.
    //Handle the situation here, Redirect the user or simply return;
}

//ok - cookie is found.
//Gracefully check if the cookie has the key-value as expected.
if (!string.IsNullOrEmpty(myCookie.Values["UserId"]))
{
    string UserId= myCookie.Values["UserId"].ToString();
    //Yes UserId is found. Mission accomplished.
}

if (!string.IsNullOrEmpty(myCookie.Values["UrlSlug"]))
{
    string UrlSlug = myCookie.Values["UrlSlug"].ToString();
    //Yes key2 is found. Mission accomplished.
}
this. __curious_geek  2010-07-14 06:49:53
sorry for the error. Yes I'm using a form of forms authentication in my app. Thanks for the detailed suggestion, I'm gonna look at it tomorrow (time for bed).
rockinthesixstring  2010-07-14 06:57:50
I'm actually using DotNetOpenAuth for my membership stuff (no ASP.NET membership to be found). but I see that DotNetOpenAuth is using (somehow) the forms authentication cookie... I just thought I could piggyback on that.
rockinthesixstring  2010-07-14 07:02:40
also, why is it not advisable to **disturb** the authentication cookie?
rockinthesixstring  2010-07-14 07:05:38
Is there a way to add this into an IPrincipal extension so that I (for example) could call `User.Identity.Slug` to acquire the user slug?
rockinthesixstring  2010-07-14 17:05:59
I think this is bad advice. You can see my answer for why. @rock. cheers.
Sky Sanders  2010-07-17 23:52:30
+1  A: 

Depending on the scenario, using a separate cookie might be a viable option, but in my opinion is sub optimal for several reasons including the simple fact that you have to manage multiple cookies as well as managing the lifetime of the cookie.

The most reliable strategy for incorporating custom information into your forms ticket is to leverage the userData field of the ticket. That is exactly what it is there for.

You can easily store custom data in the userData field of the ticket.

There are a few concerns to be aware of regarding the size of the data to be stored in the ticket that are explained here

And here is a small class that can help in the task of storing custom data in your forms ticket.

Sky Sanders  2010-07-17 23:51:10
So if I have a small class object with custom data that I need persistent access to `ID, RegionID, Username, Slug`, do I send that to the `userData` object in a comma separated string or do I need to some how searialzie it and put it in there?
rockinthesixstring  2010-07-18 02:19:33
@rock, if it is as simple as the object you present, using a csv should be no problem. no need to get all overengineered. but you need to be conscious of urlencoding your final 'userdata' value as embedded commas and semi-colons will break the cookie. Of course that means you need to urldecode it to rehydrate all the while being concious of embedded commas. your expected data will determine what level of awareness you need to maintain. good luck.
Sky Sanders  2010-07-18 03:23:11
I've tested your code with some Serialization logic and the deserializing bit is breaking. I've edited the original question for clarification... can you see what I might be missing?
rockinthesixstring  2010-07-18 04:41:00
@rock - are you missing the userData right after you create the ticket or when you read the ticket from a new request? If you don't get userData right after creating the ticket then there is a problem with the VB conversion of the code, if you are missing the data on the next request there is an issue with how you are setting the cookie. are you setting the ticket or perhaps some other code is overwriting it?
Sky Sanders  2010-07-18 04:56:27
I've made another edit. Basically I initiate your code in the `CreateActionInvoker` method of a BaseController that inherits from the `System.Web.Mvc.Controller`. Then I `RetrieveAuthUser` in my Controller `ActionResult`
rockinthesixstring  2010-07-18 05:08:36
I figured it out. I had to the creation of the cookie in the login page only instead of the original `FormsAuthentication.SetAuthCookie`
rockinthesixstring  2010-07-19 02:47:43
@rock - glad you got it. working out ok?
Sky Sanders  2010-07-19 15:11:00
yeah, seems to be. Now I need to test it's performance. I check for certain items in that cookie on every page load and I'm wondering how much of a performance hit it will be.
rockinthesixstring  2010-07-19 15:25:52
@rock - unless you are servicing thousands of requests per second or your server is a dinosaur, I think you may be overly concerned. The load of unpacking a cookie is dwarfed in the context of all the other asp.net plumbing that is going on behind the scenes.
Sky Sanders  2010-07-19 15:45:38
@rock - and in a more macro perspective, cpu usage is rarely a bottleneck, if sufficient memory is present, when compared to network and disk IO, in my opinion.
Sky Sanders  2010-07-19 15:49:43
you're definitely right. The question for me is the difference between keeping the info in a Session which takes up server memory vs keeping the info in a Cookie which stays on the client machine. Which will perform better if/when this site get's a lot of traffic.
rockinthesixstring  2010-07-19 15:54:42
@rock - unless I have a truly compelling reason to maintain state in session i will offfload this to the client every time. A subtle issue that you may be overlooking is that session != forms ticket and the lifetimes are not syncronized no matter how hard you try and while you can arrive at a suitable workaround, by that time the size of the code and the increase in complexity will have you turning back on your heels towards stashing everything you can in the forms ticket.
Sky Sanders  2010-07-19 16:03:34

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps