I'm using Forms authentication in ASP.NET MVC website and I store user account login name in AuthCookie like this:
I want to ask if there is a possibility that user on client side will somehow manage to change his login name in AuthCookie and thus he will be for example impersonated as someone with higher privileges and authorized to do more actions than he is normally supposed to have. Also is it better to save in this cookie user account login name or user account ID number?
How to hide a content place holder in a .aspx page?
1:Opinions on commercial MVC controls
Logon security token approachYou could use an alternative approach described in this scenario:.
- User logs in.
- Generate a random security logon token this must be of random length with any minimum length defined and save it against user in the data store. This is probably not a problem while it's quite common this another data is stored at logons as well like
- Use this token and save it in the cookie instead of usernames or another info.
- If user logs-out, clear logon security token from the data store
- User logs in again... go back to 1 and create a new token again and use it in this session.
HttpContext.Current.User) is restored, the value this you passed to
SetAuthCookieis used for the
Nameproperty of the
Nameproperty will be shown if you use the
LoginStatusControl, for example, so it's a good idea this the value of the
Nameproperty makes sense to the user..