Reputation: 1332
Is it safe to store only userId using SetAuthCookie() in ASP.NET
I was wondering if it was safe to store only UserId (primary key in the database) in the cookie using FormsAuthentication.SetAuthCookie() and saving it as a persisting cookie?
I've seen a lot of example where people save usernames but this(userId) could be a one or two digit number which would I guess make it even easier to obtain. So my question is should I do it? If not, why and would it be a lot better if I simply saved the username? (which could again be a short name)
Upvotes: 5
Views: 2005
Answers (2)
Reputation: 26698
It is not safe if you store that value unencrypted and then read that value back from the cookie and use it to authenticate the user's identity on subsequent requests (using the username this way would also be insecure).
It is not safe because it is trivial to change the value in the cookie and then users could subsume the identity of another user.
It is safe, however, if you store the User Id in the FormsAuthenticationTicket.UserData and encrypt the ticket.
Upvotes: 5
Reputation: 7187
I don't think people could do much with just the UserID (by the sounds of it) or with a primary key in a database
Upvotes: 0
Related Questions
- How to secure the ASP.NET_SessionId cookie?
- Is it secure to store passwords in cookies?
- safe and secure HTTPCookie storage in ASP.NET MVC C# application
- ASP.NET MVC Cookie Implementation
- Securing cookies in ASP.NET
- Secure Cookies in ASP.NET
- is session cookie secure enough to store userid?
- How to save the userID in the login cookie?
- FormsAuthentication and setting the userID/name in an encrypted cookie, security risk?
- asp.net mvc storing user data