Cache Dependent Key/Encryption

[A. Elamiri]

I would like to store some Role Information in a cookie since I cannot use
Session in the AuthenticateRequest method.

I thought of encrypting the cookie using Rijndael Algo. for provider. I
would generate a 16 character key store it as a Cached object and replace it
every 20-30 minutes, if the cookie data does not decrypt then simply reload
it because I would assume that key expired.

Is this a secure way of doing it?

[Hernan de Lahitte]

Perhaps you might use the Forms Authentication cookie/ticket management that
is very similar that the one you 'd described but you don't need to warry
about keymanagement and expiration issues. You have an example of this here:

On your login page after the validation step, you get the roles info
(string[] roles) and create/encrypt the cookie like this:

HttpCookie cookie = FormsAuthentication.GetAuthCookie( UserId.Text, false );
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(
cookie.Value );

// Store roles inside the Forms cookie.
FormsAuthenticationTicket newticket = new FormsAuthenticationTicket(
ticket.Version,
ticket.Name,
ticket.IssueDate,
ticket.Expiration,
ticket.IsPersistent,
String.Join( "|", roles),
ticket.CookiePath);

cookie.Value = FormsAuthentication.Encrypt(newticket);
Context.Response.Cookies.Set(cookie);
Response.Redirect( FormsAuthentication.GetRedirectUrl( newticket.Name,
newticket.IsPersistent ) );

On the Application_AuthenticateRequest you put this code to load you
Principal object.

if (Context.Request.IsAuthenticated)
{
// retrieve user's identity from httpcontext user
FormsIdentity ident = (FormsIdentity)Context.User.Identity;
// retrieve roles from the authentication ticket userdata field
string[] arrRoles = ident.Ticket.UserData.Split(new char[] {'|'});
// create principal and attach to user
Context.User = new System.Security.Principal.GenericPrincipal(ident,
arrRoles);
}

I hope this help.

Regards,

Hernan de Lahitte
Lagash Systems S.A.
[url]http://weblogs.asp.net/hernandl[/url]


This posting is provided "AS IS" with no warranties, and confers no rights.

"A. Elamiri" <abdellahDOTelamiriATclintonDOTedutNOSPAM> wrote in message
news:um7sEnhJEHA.3728@TK2MSFTNGP12.phx.gbl...

> I would like to store some Role Information in a cookie since I cannot use
> Session in the AuthenticateRequest method.
>
> I thought of encrypting the cookie using Rijndael Algo. for provider. I
> would generate a 16 character key store it as a Cached object and replace

it

> every 20-30 minutes, if the cookie data does not decrypt then simply

reload

> it because I would assume that key expired.
>
> Is this a secure way of doing it?
>
>

[A. Elamiri]

Thanks!! I'll try that out

--
Abdellah Elamiri
..net Developer
Efficacy through simplicity
"Hernan de Lahitte" <hernan@lagash.com> wrote in message
news:OkIeEAkJEHA.2456@TK2MSFTNGP12.phx.gbl...

> Perhaps you might use the Forms Authentication cookie/ticket management

that

> is very similar that the one you 'd described but you don't need to warry
> about keymanagement and expiration issues. You have an example of this

here:

>
> On your login page after the validation step, you get the roles info
> (string[] roles) and create/encrypt the cookie like this:
>
> HttpCookie cookie = FormsAuthentication.GetAuthCookie( UserId.Text,

false );

> FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(
> cookie.Value );
>
> // Store roles inside the Forms cookie.
> FormsAuthenticationTicket newticket = new FormsAuthenticationTicket(
> ticket.Version,
> ticket.Name,
> ticket.IssueDate,
> ticket.Expiration,
> ticket.IsPersistent,
> String.Join( "|", roles),
> ticket.CookiePath);
>
> cookie.Value = FormsAuthentication.Encrypt(newticket);
> Context.Response.Cookies.Set(cookie);
> Response.Redirect( FormsAuthentication.GetRedirectUrl( newticket.Name,
> newticket.IsPersistent ) );
>
> On the Application_AuthenticateRequest you put this code to load you
> Principal object.
>
> if (Context.Request.IsAuthenticated)
> {
> // retrieve user's identity from httpcontext user
> FormsIdentity ident = (FormsIdentity)Context.User.Identity;
> // retrieve roles from the authentication ticket userdata field
> string[] arrRoles = ident.Ticket.UserData.Split(new char[] {'|'});
> // create principal and attach to user
> Context.User = new System.Security.Principal.GenericPrincipal(ident,
> arrRoles);
> }
>
> I hope this help.
>
> Regards,
>
> Hernan de Lahitte
> Lagash Systems S.A.
> [url]http://weblogs.asp.net/hernandl[/url]
>
>
> This posting is provided "AS IS" with no warranties, and confers no

rights.

>
> "A. Elamiri" <abdellahDOTelamiriATclintonDOTedutNOSPAM> wrote in message
> news:um7sEnhJEHA.3728@TK2MSFTNGP12.phx.gbl...

> > I would like to store some Role Information in a cookie since I cannot

use

> > Session in the AuthenticateRequest method.
> >
> > I thought of encrypting the cookie using Rijndael Algo. for provider. I
> > would generate a 16 character key store it as a Cached object and

replace

> it

> > every 20-30 minutes, if the cookie data does not decrypt then simply

> reload

> > it because I would assume that key expired.
> >
> > Is this a secure way of doing it?
> >
> >

>
>