Forms Authentication and Security

Question

I'm creating a web application (C#, MVC3) and trying to figure out the best practice to log a user on. I'm sticking with the built-in FormsAuthentication framework and custom Membership provider to validate a user. But the problem is, there are many user information (first name, last name, user id, last login date, etc) I would like to save somewhere for easy access in my code.

First thought was to overload IIdentity and IPrincple but I was reading that they require a database hit every page load. Then I was thinking about cookies, but some posts were saying it is unwise to store sensitive information in them.

Any suggestions would be great.

Answer 1

You can still use FormsAuthentication. Sensitive user information can be stored in FormsAuthenticationTicket.UserData property. And it's safe - the authentication cookie is encrypted by FormsAuthenticationModule after FormsAuthenticationTicket serialization.

Answer 2

I created a class called MiniUserModel in my app that has a few pieces of information I need, including User ID, Name, etc., but nothing super sensitive.

I serialize that instance to JSON, encrypt the JSON string, and write the value out to a Cookie.

This allows me to get access to the data easily on every page view without re-querying the database. Because my object is small, the cookie and resulting request footprint is not adversely affected. This does add "some" overhead for de-crypting and de-serializing on each request, however. (you could profile it to see if it is a problem...in my case it is not).

If you do this approach, it is important that you make sure to update the cookie value when a user changes their information.