2

I'm just looking into ASP.NET Identity, which seems that it is the most preferable solution for user authentication in ASP.NET apps these days (replacing all the ASP.NET Membership stuff from the past).

I am looking for a solution that would allow to maintain information about anonymous users. Even if the user is not authenticated, we can collect and store most of the profile data that we could store if the user was authenticated.

Even if the user is anonymous, it makes sense to store data like:

  • shopping cart
  • comments he's written on the site (so that he can edit them as their creator)
  • various site preferences (his preferred language, and many other settings)

Then when the user registers, we can offer to copy some of this data into his new user profile (or copy it automatically) depending on what data it is.

Is it possible to achieve this scenario with ASP.NET Identity? It seems that when a user is anonymous in ASP.NET Identity, he cannot have any user profile data.

In order to use the same tables to store all this information as for authenticated users, we might need to create a new user in the system for every new visitor that comes to the site and does some action that requires storing of some user data.

After that, we'd need to pass some cookie identifier to the user, so that we can always connect the data to the user, which can be seen as some form of authentication (although invisible to the actual user). That way, the guest user could actually represent an authenticated user of the system (maybe he'd just have a special role?), even though to his knowledge he's anonymous.

What do you think about this approach? Are there any ways where ASP.NET Identity can help with this?

I found these two related Stack Overflow questions, but I haven't found my answer in them:

Edit:

I discovered that there's a mechanism called Anonymous Identification in ASP.NET that seems to solve part of the issue.

https://msdn.microsoft.com/en-us/library/91ka2e6a(v=vs.85).aspx

Maybe it can be somehow integrated with ASP.NET Identity?

Edit2: As noted in the comments, the documentation for Anonymous Identification seems to be outdated and it's quite probable that Microsoft will not be focusing on this much in the future. Solutions that work with ASP.NET Identity or other OWIN-based solutions are preferred.

Community
  • 1
  • 1
Tom Pažourek
  • 9,582
  • 8
  • 66
  • 107
  • I'm afraid Identity won't help you much here. There is no built-in functionality here - you'll have to come up with most of the stuff yourself. However you can use some of OWIN cookie middleware to work with claims and cookies. – trailmax Sep 21 '16 at 10:57
  • 1
    I've done user authentication cookie with OWIN without Identity. Relevant parts can be seen here: https://github.com/trailmax/OwinADAuthentication/blob/master/ActiveDirectoryAuthentication/Models/AdAuthenticationService.cs#L82 – trailmax Sep 21 '16 at 10:59
  • @trailmax: Thanks for the response. I like most of the features in ASP.NET Identity and plan to use them, so I'm more looking into how to integrate these guest users into the ASP.NET Identity framework. – Tom Pažourek Sep 21 '16 at 11:06
  • I was thinking more in terms of giving anonymous users cookie from OWIN without Identity involved, but put some identifier that you can correlate to your stored information about these users. But as soon as they register - check if that correlation id is present - and retrieve the relevant data and copy to the actual record info. – trailmax Sep 21 '16 at 13:11
  • I really think in this case you'll fight Identity more than it'll give you benefit. I'll run into things like required email, username, etc. – trailmax Sep 21 '16 at 13:12
  • @trailmax: Interesting notes, thanks. It might make more sense to have the stored user information completely separated from the Identity user. It might result in less workarounds then when trying to do some special kinds of Identity users for the guests. – Tom Pažourek Sep 21 '16 at 13:26
  • Yes, exactly that - guests are not users, they should be treated differently. – trailmax Sep 21 '16 at 13:33
  • Re anonymous authentication from your update - it does not add confidence that this topic is not available for the latest .Net version. – trailmax Sep 21 '16 at 13:34

2 Answers2

0

Asp.Net Identity has no such thing, and it will not be secure identify the anonymous user even through hip IP or a Cookie in his browser, you can ask the user to register with very minimum info or through FB or Twitter to make the registration process as short as possible, and later he can complete his profile, this way you will make sure the data is linked to an actual profile.

Haitham Shaddad
  • 4,336
  • 2
  • 14
  • 19
  • From a security perspective, it's not much of a concern, it doesn't matter if the cookie gets stolen or something, for all the really important actions, proper authentication will be required. And it will massively hurt conversions if I ask users to login through Facebook before they can add an item to a shopping cart. And also why do you assume that it will not be secure to identify users via a cookie? Doesn't ASP.NET Identity also use cookies? – Tom Pažourek Sep 21 '16 at 13:20
  • asp.net uses cookies as a way to keep the user session and avoid requesting him to log in with every request but surely not to authenticate the user – Haitham Shaddad Sep 22 '16 at 19:33
  • But I can steal the session cookie and gain access to the system and user's identity by doing so. My point is that using a cookie to identify anonymous users can be as secure as using a cookie to identify user's session. – Tom Pažourek Sep 22 '16 at 19:46
  • Yes, but that will be linked only to the browser that the user surfed the site from, if he or she tried to access the site from elsewhere, they will be considered a new user – Haitham Shaddad Sep 22 '16 at 19:49
  • IIRC it doesn't work that way unless you implement some custom mechanism that will link the session cookie to the browser. I'm afraid I can steal the session cookie and use it in another browser and another IP without a problem. And even if there was some protection like that, the same mechanism can be used for the anonymous identification cookie. – Tom Pažourek Sep 22 '16 at 20:11
0

ASP.NET profile properties allow your application to track and permanently store user-specific information. For example, users can specify a postal code or a favorite color scheme, and your application can store that information and retrieve it from anywhere in the application. ASP.NET automatically matches the current user — whether the user is anonymous or logged on — with the personal information that is stored for their user account.

Configuring Profile Properties

You will begin by configuring your application to enable profile properties. You will then define the first property that you want to track for each user. This property is named PostalCode and will be tracked for both anonymous and logged-on users.

Source: https://msdn.microsoft.com/en-us/library/taab950e.aspx

Sunil Kumar
  • 3,142
  • 1
  • 19
  • 33
  • This doesn't seem to be updated anymore (for newer versions of .NET) and also there's no mention of those anywhere in the ASP.NET Identity. I assumed the all of this was part of the older membership-related libraries that ASP.NET Identity is supposed to be replacing. I aim to stay away from those legacy libraries for any new development as it seems that Microsoft will only focus on supporting features on top of the OWIN infrastructure... – Tom Pažourek Sep 21 '16 at 13:49