0

I'm implementing an ASP.NET (C#, MySQL DB) website with forms authentication . I noticed that the authentication cookie holds the user name (in my case - the email of the person). After reading this and other resource, I understand it's not safe to hold expected values, even though it's encrypted. How can I change this default functionality to an unexpected value?

Community
  • 1
  • 1
Guy
  • 831
  • 2
  • 10
  • 20

1 Answers1

0

you can do something like this 

FormsAuthenticationTicket tkt;
string cookiestr;
HttpCookie ck;
tkt = new FormsAuthenticationTicket(1, _user.User_Id.ToString(), DateTime.Now,
DateTime.Now.AddMinutes(60), true, string.Format("{0},{1}",     System.DateTime.Now.ToString(), _user.User_Id.ToString()));
cookiestr = FormsAuthentication.Encrypt(tkt);
ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);
ck.Path = FormsAuthentication.FormsCookiePath;
Response.Cookies.Add(ck);

I am simply adding my user ID on the cookie which really helps in logging.

Nikshep
  • 2,059
  • 4
  • 21
  • 29
  • But where would I write it in? I'll need to write the cookie on create/timeout and read the cookie on on any page request.. This is something that is currently done automatically by the provider. I'd still want it to be done automatically. so wouldn't have to write the logic of reading and deciding if the user is authenticated or not – Guy Aug 07 '11 at 14:51
  • I thought that you wanted a functionality through which you can restrict the data being stored during cookie creation ideally it would be when the user's log on the system and is authenticated.This is when you should use this code. Now reading a cookies is a separate thing all together you might want to read the cookie to get some values that would be my thought on reach http request you can retrive the cookie and it has to be decrytped so that you can use the values. – Nikshep Aug 08 '11 at 04:59
  • actualy the membership provider is doing all of this automatically. Instead of reading the cookie and check is the user authenticated. I simply call isauthenticated function of the membership. The only problem is that the membership provider identifies the user by the user name which is email. This value can be predicted and compromised. I wanted the standard functionality but change the token itself from user name to something other like session id – Guy Aug 08 '11 at 06:16