Reputation: 2312
Using Forms Authentication Cookie to Cache Roles - (Windows Authentication)
I am wondering if there are any risks or pitfalls involved in me using the WindowsAuthentication_OnAuthenticate event to create a FormsAutnetication ticket to store user roles. I grab these roles from a couple different queries (I don't have permission to change the db schema so...). I don't want to use ASP.NET's role manager and My concern is that if I don't use a cookie (at least one that expires every 30mins or so) then performance might be an issue since WindowsAuthentication_OnAuthenticateis would get called for every request and I'd be make making these db calls constantly (not to mention having to decrypt the cooke and build a custom principal for my Context on the Application_AuthenticateRequest event).
Upvotes: 1
Views: 736
Answers (1)
Reputation: 30152
Yes and no. If it's compromised yes, if not no.. From a security standpoint it's not a good idea and this has been compromised although quickly patched (see the POET vulnerability) It's for you to decide if the risk is worth it which it generally isn't.
Why not consider a server side cache to store this data on instead and only of the cache is empty then check for the roles?
Upvotes: 3
Related Questions
- Cookie Based Authentication
- ASP .NET Custom RoleProvider not respecting cacheRolesInCookie="true"
- MVC 3 partial caching
- Forms Authentication Cookie value vulnerability in asp.net
- Cookie and Authentication -ASP.net
- Is caching roles in cookies secure?
- ASP.NET MVC authentication cookie
- ASP.NET Problem Caching Roles In Cookie
- Does MVC.NET handle roles through cookies?
- Authentication Cookie