FormsAuthentication + Protection + Recycling

[StanD]

When a client enters the site I check for a persistent cookie of short
duration, and if present decrypt it to obtain identification data, that is
restored to the session state if necessary. the Protection parameter in the
web config file is set to "All". The host server is running W2003 os, which
is recycling every 10 minutes. When recycling occurs, and a client's cookie
checked thereafter, the decryption causes an exception with the message "bad
data". Someone suggested setting the Protection parameter to "None", which
works fine, and decryption is successful. What bothers me is concern over
security. What is the price? The cookie appears to be encrypted. I would
like to know if decryption can be made to work across recycling with optimum
security.

Appreciate your thoughts.

 

[Daniel Fisher\(lennybacon\)]

Protection parameter to "None", which works fine, and decryption is
sure?

[...]
None:
Specifies that both encryption and validation are disabled for sites that
are using cookies only for personalization and have weaker security
requirements. Using cookies in this manner is not recommended; however, it
is the least resource-intensive way to enable personalization using the .NET
Framework.
[...
from
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfForms.asp
]

By default IIS 6.0 is configured to recycle its worker process every 29
hours. If You have problems with recycling it every 10 minutes try to
recycle it after a defined amount of requests or memory usage...

(http://www.asp.net/faq/AspNetAndIIS6.aspx)



Daniel