Maximum Length of FormsAuthenticationTicket.UserData Property

Question

I am implementing a Custom Identity class for an ASP.Net 4.0 site with Forms Authentication based on this tutorial:
Forms Authentication Configuration and Advanced Topics

I would like to store extra user information (First/Last Name, Gender, Geographic Region, Profile Picture Thumbnail Filename, etc...) in the AuthCookie. There is a warning on msdn.microsoft.com about limiting the size of the UserData property.

I have not been able to find a definitive character limit for the UserData property. Only that the entire encrypted cookie should be under 4096 bytes.

Anybody know a maximum character limit I should assume in my code? Or have a better idea about how to store these frequently needed pieces of user information?

Thanks

Answer 1

There's no explicit limit - the maximum size will depend, for example, on the length of the username. Also the maximum size of a cookie (or of a URL if you're using cookieless tickets) is browser-dependent.

You could store that sort of information server-side (e.g. Session), possibly with some kind of key / id in the cookie. One way of doing this would be to implement a custom ProfileProvider.

One disadvantage of storing application-specific information such as you describe in the FormsAuthentication cookie is that you will need some redesign if ever your application needs to switch from FormsAuthentication to some other authentication method (e.g. WindowsAuthentication).

Personally I'd only store information that's relevant for authentication and possibly authorization in the FormsAuthentication cookie, as anything else would increase coupling.

Answer 2

It depends on the browser's max cookie length. This article may help: Browsers Cookie Limit

And this article also helps you to check your current authentication ticket size: Asp.Net Authentication Ticket Checking