alternative asp.net login control security check

Question

i started to implement my login class from scratch, and have a big problem in security

this is my algorithm for logging page:

if(userName and password == true)
{
    creating session from login object
    encrypt username 
    creating cookie from  encrypted username
    go to private page
}

and on my page_load() private page:

if(session existed)
{
    update cookie timeout
}
else
{
    if(cookie existed)
    {
        unencrypte value
        if(username existed from unencrypted cookie value)
        {
        create session
        update cookie timeout
        }       
    }
    else
    {
    go to logging pgae
    }
}

so my question: 1.does this algorithm has security problem?(because i think every one could save cookie value and created bye own, is that right? ) 2.i am using cookie because i had problem for session time out, and want to keep login my user for more than a day. is that a good way? 3. what are some site like facebook do for keep log in their user? thanks for your attention

Answer 1

1) Yes, everyone can create cookies, but not everyone can encrypt the value you want to set. The encryption is done server side with a private key only you, or your code, should have access to.

2) Cookie can be set to be available only during the browser session of until a specific expiration date, so yes that would be a good option.

3) I would not know for all users, but a cookie is a good option. Sites like live.com and google.com just create cookies with a long expiration date. Keep in mind that you should provide a means to let the user decide this (for instance using a checkbox).

Maybe I'm missing some context by why invent the wheel and not just use ASP.NET Forms Authentication. That will do just what U describe in your algorithm.

You can combine it with the Membership Provider Framework or the new ASP.NET Identity Framework.