0

I need to implement the secure system, in MVC which will recognize that user logged in is followed proper authentication steps.

Can i know which authentication scheme will be better of the following.

  1. Form authentication will be using cookie, which in turn get the user details based on the cookie. In form authentication we have advantage that with the cookie available in browser, system will auto login from that.

  2. Storing the logged in user information in session and checking that user logged in. But if the session expires we need to logout the system. Suppose the user need to work till entire day, some time user can leave without interaction for 20 mins, system automatically sign-out the user.

  3. Storing the logged user details in sql server session which will be having performance issues.

So i need to implement secure and performance oriented scheme which will be maintain user information securely and also have advantages like auto login with cookie.

Primary goal is to maintain which user logged in and he should be authenticated through the system which he is accessing and safely logout the system

Ramselvaraj
  • 112
  • 1
  • 14

1 Answers1

0

The 1-option is not safe because you can pick up the cookie data and insert it into another browser to impersonate the user.

I use the 2-option for example with my website because it has a secure structure. If the browser is closed and opened again the session is destroyed but you can always use it as long as the same browser is open to access your profile without having to log in.

The 3-option has too much editing and processing effort so I wouldn't recommend it.

Maintaining the user would simply fall when you maintain the user data in the database via an admin panel which you create. So you have the possibility to install an ACL system later.

  • In option 1 generate custom cookie which include login time, will be secure ? In option 2 we need to once again login since system automatically check the waiting time, we cannot control it right. Also it will be arise problem in web server, when multiple people logged in ? – Ramselvaraj Feb 21 '19 at 09:13
  • 2
    @Ramselvaraj No this option is not secure because the stored cookie is limited by a key and a lifetime. For example: key (abc123def4560000XYZ) with a lifetime of (30 days) Thus it would be possible to log in as this person in another browser if one taps off the cookie. You can also write me for more detailed things: info@Code-Projects.com –  Feb 21 '19 at 09:16
  • But session (opt 2) will have web server issues when multiple people access the system, since session is stored in server ? – Ramselvaraj Feb 21 '19 at 09:20
  • @Ramselvaraj For the first time it is now easier to work with a PDO connection instead of mysql or mysqli. In addition, a server user ID (I call it now) is stored during a session so that the server can assign it if it is used more than once! However, the session on the browser is deleted when it is closed, so you have to log in again. –  Feb 21 '19 at 09:27
  • Suppose website like stackoverflow where multiple users are accessed also store the information in session ? also when implementing Rest based authentication (cookie sent again and again) will be insecure? – Ramselvaraj Feb 21 '19 at 09:44
  • @Ramselvaraj Sorry but the last comment makes no sense. Stackoverflow uses cookies but I can't tell if it uses authentication cookies or something. –  Feb 21 '19 at 09:48
  • i just asked as an example(stackoverflow). Since some websites where multiple people used. – Ramselvaraj Feb 21 '19 at 10:15
  • Also Rest based authentication which will also follow cookies authentication only eg: react with web api? – Ramselvaraj Feb 21 '19 at 10:15
  • @Ramselvaraj I'm afraid I can't say anything about that. I only trust self-developed login and registration systems. But you can take a look over there article https://stackoverflow.com/questions/319530/restful-authentication –  Feb 21 '19 at 10:31