ASP.Net Store User Data in Auth Cookie

Question

I want to store some data like the user nickname and user ID (table primary key) in the user data section of the auth cookie. The reason I'm doing this is to retain this data when the browser is closed, without having the user relogin.

Edit: Whoops! Realized I'd not explained myself well. I am not trying to reauthenticate a user based on their cookie. The user is already authenticated by ASP.Net's membership system - this part is fine. My problem is that if I want to show the user's nickname, for example, I have to fire off another SQL query, and then store it in the session. I figured it would make sense to store this information in the auth cookie (again, the one already created by ASP.Net) in the UserData section, which seems to have been created for this purpose.

I don't want to use profiles because I have my own user table with profile data, and I needed a lightweight solution.

What is a good way to encode this data in the user data section of the auth cookie? I was thinking serialization, but that might be overkill. Am I going about this the wrong way?

Answer 1

I've written an in depth tutorial on how to do this here:

http://www.danharman.net/2011/07/07/storing-custom-data-in-forms-authentication-tickets/

This maintains the encryption and authentication, and uses json to serialize a class into the UserData field.

Edit:

The blog no longer exists, an archive can be found on the web archive here.

Summary from blog:

Get the existing cookie and auth ticket

HttpResponse response = HttpContext.Current.Response;
bool rememberMe = true;
var cookie = FormsAuthentication.GetAuthCookie(name, rememberMe);
var ticket = FormsAuthentication.Decrypt(cookie.Value);

Define your custom data (make sure this is serializable to json)

var userData = new YourUserClass(...);

Create a new auth ticket with your data, and existing auth ticket settings

var newTicket = new FormsAuthenticationTicket(ticket.Version, 
    ticket.Name, 
    ticket.IssueDate, 
    ticket.Expiration, 
    ticket.IsPersistent, 
    userData.ToJson(), //This is where you'd set your user data
    ticket.CookiePath);
var encTicket = FormsAuthentication.Encrypt(newTicket);

Set your customized ticket into cookie and add to response

cookie.Value = encTicket;
response.Cookies.Add(cookie);

Answer 2

Apparently I was on the right track: http://www.asp.net/learn/security/tutorial-03-vb.aspx (Step 4: Step 4: Storing Additional User Data in the Ticket)

Answer 3

Yes. If you are storing the User ID and Login in the cookie what's stopping someone from changing their cookies to anyone's User ID and Login?

You need to set up an auth ticket system. Basically it's a cookie value that gets checked when no session exists. If a value is present you run that against a ticket table which should contain their User ID. If you find the ticket, give them a session and a new ticket.

Answer 4

If you've already got a user table with profile information in it, why don't you hook into it with a custom profile provider.

If you want another example of how to implement something like this, you could take a look at the SQL Table Profile Provider

Answer 5

Maybe you could just create another cookie... I personally wouldn't mess with the auth cookie.

Answer 6

Storing extra user data in the cookie means a larger cookie that is sent back and forth from the client with every request.

A better approach to avoid the extra database hits you are worried about is to cache that data in memory after the user logs in.

ASP.NET has a per request cache HttpContext.Current.Items and a app domain cache HttpContext.Current.Cache, I think you are looking for HttpContext.Current.Cache in this instance.

Alternatively if you need caching across web servers (load balanced web servers) you can look into 3rd party key value stores like like memcached, redis, velocity, ncache etc.