Basic safe sessions in ASP .Net?

Question

First off, I am not using Forms Authentication.

I found a great tutorial that almost does what I want: http://www.codeproject.com/Questions/358434/Keep-me-signed-in-until-Loggged-out

The only problem is that it does not seem like a good idea. It stores the username in the cookie. That seems very bad.

How could I do something like this tutorial but in a safe way?

I essentially just want this basic flow:

if user logged in then show page

User can have the option of being logged in for the session (30 mins of inactivity) or until they choose to explicitly logout.

I have a feeling I will need a session table in my db for this, but I am not sure.

It doesn't have to be top of the line security since this is for an intranet, but I do still want it to be somewhat safe.

Thanks

Answer 1

Easiest way is in your Login function, once you have verified them just add:

FormsAuthentication.SetAuthCookie(theUserName, persistCookieBoolean);

Now you have an authentication cookie set. No encrypting or decrypting needed. Get the username like:

HttpContext.Current.User.Identity.Name

And see if they are logged in:

HttpContext.Current.User.Identity.IsAuthenticated

And now you can set authorization easily in the web.config too. Related post: Manual Access control in ASP .Net

Answer 2

Encrypt your data (username, etc) before storing in the cookie.

Read the cookie, decrypt the data & then validate.

Check this:

Encrypting & Decrypting Data in .NET Applications

Encrypt/Decrypt string in .NET

Answer 3

You can use Sessions.

Example Code VB:

On login do:

Session("Username") = "username"

Then each time on page load check if Session("Username") has any data/is not null.

If it's null or empty then the Session has expired and you can kick them out of the page.