2

I am creating a personal website in which I would like users to register for. I have been looking up various security measures that need to be taken, and am curious as to what the main things I have to pay attention to. I have decided to not use ASP.NET Forms Authentication, primarily for the fun of creating the authentication process myself. Here is what I have done thus far:

  • I have a MySQL Database where I am storing the user's login information such as a hash of their password and salt

  • Upon logging in, set a Session equal to their username -- which brings me to the question: Is this the best way to track a logged in user without using Forms Authentication? For example, setting the session would like something like this:

    Session["User"] = username;

Is there a better way to go about tracking logged in users? Or is this an acceptable, yet still secure, way of handling things?

Improve this question
5
  • You'll probably want to set the (Custom) Principal of the Context. Commented Jul 13, 2012 at 15:10
  • So you're reinventing the wheel for fun? Fair enough, I've done the same. Forms Authentication at its core is actually very simple, it stores an encrypted cooking with the authenticated users information. This whole process, including what information is stored and how it's stored, can be customized. Using Session state is essentially doing the same thing only the user information is stored on the server. I would really suggest customizing Forms Authentication rather than doing it all from scratch. Commented Jul 13, 2012 at 15:38
  • 1
    If you can't even get started on your own, then you have no business writting your own authentication system, you WILL implement it wrong. At the very least implement the build in system and figure out how THAT works. Commented Jul 13, 2012 at 15:51
  • I have started and its pretty much completed...I was just looking for suggestions on the best way to track a logged in user if I'm not using Forms Authentication. But thank you for the concerns. Commented Jul 13, 2012 at 17:25
  • 1
    Make sure the session key or cookie, or however you implement it is passed via HTTPS. Commented Jul 13, 2012 at 19:41

2 Answers 2

Reset to default
1

In my opinion a better way is to have user information in the encrypted cookie, that way your server does not need to keep track of each user in session. And it's more reliable than session. What you can do is to use only the mechanism for creating a secure authentication cookie from FormsAuthentication and use your own authorization for example.

public void OnLoginClick(object sender, EventArgs e)
{
   if(MySqlValidUser(username, pass)) // this is where you would check if user is valid
   {
      FormsAuthentication.SetAuthCookie(username, null);
      Response.Redirect("/");
   }
}

That way if you have forms authentication enabled you can easily access User.Identity.Name or User.IsAuthenticated on your asp.net pages 

<authentication mode="Forms" />
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Perfect! I will try this out sometime today and see what I can do. Thanks!
1

Is there a better way to go about tracking logged in users?

Microsoft designed Forms Authentication to use an encrypted cookie, with a cookieless fallback that uses querystring. So they obviously think it's a better way than using Session.

One advantage is that a User isn't automatically logged out if his Session is lost (timed out, but can also be lost if the application is recycled when using InProc Session - which is the default).

If you really want to "roll your own", I suggest you consider:

  1. Writing a custom MembershipProvider, which will work with the FormsAuthentication infrastructure but enable you to learn something about the implementation details.

  2. Or study the FormsAuthentication design, and attempt to replicate most of it (for example: you might omit support for cookieless authentication).

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.