Perhaps you might use the Forms Authentication cookie/ticket management that
is very similar that the one you 'd described but you don't need to warry
about keymanagement and expiration issues. You have an example of this here:
On your login page after the validation step, you get the roles info
(string[] roles) and create/encrypt the cookie like this:
HttpCookie cookie = FormsAuthentication.GetAuthCookie( UserId.Text, false );
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(
cookie.Value );
// Store roles inside the Forms cookie.
FormsAuthenticationTicket newticket = new FormsAuthenticationTicket(
ticket.Version,
ticket.Name,
ticket.IssueDate,
ticket.Expiration,
ticket.IsPersistent,
String.Join( "|", roles),
ticket.CookiePath);
cookie.Value = FormsAuthentication.Encrypt(newticket);
Context.Response.Cookies.Set(cookie);
Response.Redirect( FormsAuthentication.GetRedirectUrl( newticket.Name,
newticket.IsPersistent ) );
On the Application_AuthenticateRequest you put this code to load you
Principal object.
if (Context.Request.IsAuthenticated)
{
// retrieve user's identity from httpcontext user
FormsIdentity ident = (FormsIdentity)Context.User.Identity;
// retrieve roles from the authentication ticket userdata field
string[] arrRoles = ident.Ticket.UserData.Split(new char[] {'|'});
// create principal and attach to user
Context.User = new System.Security.Principal.GenericPrincipal(ident,
arrRoles);
}
I hope this help.
Regards,
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no rights.
A. Elamiri said:
I would like to store some Role Information in a cookie since I cannot use
Session in the AuthenticateRequest method.
I thought of encrypting the cookie using Rijndael Algo. for provider. I
would generate a 16 character key store it as a Cached object and
replace
it
every 20-30 minutes, if the cookie data does not decrypt then simply reload
it because I would assume that key expired.
Is this a secure way of doing it?
