1

Here is my problem if i can call it that way.I have implemented authentification with custom memebership provider in asp.net mvc 2.0.Everything works well but i have one problem.When user log in he provides its username and password and i check this through databse in MSSQL then i validate user and pass and use FormsAuthentication to set only UserName as profile information.

But when that user wants to create new item(lets say for sale or something) that belongs only to him and can be listed with other items that user created i can use this username(in FormsAuthentication) check it in database and connect that item to appropriate user with foreign key but that works if username is unique so i need additional informations like ID column from database table "user" to store and use it later so what is the most secure and "best practice" way to store additional information of user and use it later because username as i mentioned must be unique in database and it is not enough information about logged user.

Improve this question

1 Answer 1

Reset to default
2

Couldn't you store the User object (or whatever additional info you have) in the Session? or using a cookie at the client side (if you need to persist the login state even after the user closes his browser etc)? Let me know if you need specific examples.

EDIT: After reading your comments, if you are looking for a "secure cookie" solution have a look at this: http://www.codeproject.com/Articles/13665/HttpSecureCookie-A-Way-to-Encrypt-Cookies-with-ASP

I use it to store the user's id (only his id). When I retrieve this cookie I load the user given his id. Some in-memory caching allows me to avoid loading the user on each request.

But just wanted to clarify that the session object seems great for what you are trying to do + you dont have to worry about security (for the average app that is).

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

I found that the session is not the most secure way to do that stuff..i have mine code but this is ony functionality that i need right now..i found some sxamples here at stackoverflow but wanted to give another try from other perspective
Why not? the session is stored purely on the server so its more secure than putting stuff on a cookie for instance. I use cookies to persist user data and have to encrypt/decrypt them every time I need to read/update them.
That encrypt/decrypt way i tought it is good way but i never used it before because i am new to asp.net mvc .I found few examples but wanted to hear other thoughts about implementing this functionality that or other way...
have a look at my edit in the post above. i think its what you are looking for.
mmm i read it is also the same(in principle of functionality) as FormsAuthenticationTickets that i found the answer here: stackoverflow.com/questions/7524136/… stackoverflow.com/questions/8547107/… danharman.net/2011/07/07/…
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.