Geek Answers Handbook

How secure is Ticket.UserData in User.Identity in asp.net

My site uses ASP.NET forms authentication, and I insert user-specific information into the UserData part of the authentication ticket / cookie. Since UserData is in the authentication ticket, it is encrypted like this

authCookie.Value = FormsAuthentication.Encrypt(newTicket);

Now I'm not too worried that the data has been compromised at the moment since encryption. but I noticed that the data is available in unencrypted form, for example,

 FormsIdentity fid = User.Identity as FormsIdentity; string plainTextUserData = fid.Ticket.UserData;

The data itself is not too important. I'm still fine, even if other people can see it. but I can’t let people grab this information and start using it as their own. for example, I don’t want one user to register, pretending to be a different user (based on the user ID contained in UserData p>

Is this something I should worry about?

Change 1:

The reason I want to do this is because I can stop using sessions and just use cookies and Ticket.UserData p>

Edit 2:

Data in Ticket.UserData does not change. it is constantly after the user logs in.

+4
source share
3 answers

I need more data on certain pages depending on what the user is doing. right now i'm using sessions, but now i want to move everything to cookies. this is not much data, so I decided that I could all auth ticket / cookie

@ jorsh1 based on your assessment of @Portman, Ticket.UserData is not a place to store changing data. You do not want to constantly recreate the authentication ticket when switching from one page to another.

Use session data using a session service or Sql server. If you do not need data in the session, and the data is small and not sensitive, use a cookie. (*)

The canonical example of MS UserData is to store things like a list of roles so you can say things like "I think this user is an administrator", but if it's something like an administrator role, you probably databases to check before you implicitly trust what's in the cookie.

string plainTextUserData = fid.Ticket.UserData;

This only works inside your application because Asp.Net has already decrypted the ticket for you. However, if you want to set IIRC data, you need to recreate and reconnect the forms authentication cookie.

 FormsAuthenticationTicket ticket = new FormsAuthenticationTicket( currentTicket.Version + 1, currentUser.UserName, now, now.Add(formsAuthentication.Timeout), false, "new user data string", FormsAuthentication.FormsCookiePath); string hash = FormsAuthentication.Encrypt(ticket); HttpCookie cookie = new HttpCookie( FormsAuthentication.FormsCookieName, hash); Response.Cookies.Add(cookie);

Another application cannot decode this ticket unless it knows the decryption key, or it was forced. If you download application balance or use web gardens, you even need to keep the keys in sync.

* I am not a supporter of storing things in a session. Usually there is another way to save this data.

[edit] What I use for a session for:

The only thing I often find is to store a lightweight version of critical user data in a session-based session. However, we make it transparently loaded and do not duplicate what is on the Ticket.

Thus, we do not detect anything sensitive in cookies, and we do not rely on the session. We also established aggressive session remediation. Combined with the small amount of data stored in the session, the sessions do not cause problems for us, and since only one piece of code knows what is happening in the session, we can easily reorganize it.

Something else, the sessions are evil. I prefer to maintain the viewstate on the page that it needs, or else just keep the temporary state in the database.

+5
source

It is as secure as an authentication ticket. Since you are using it for the same purpose, do not worry about it.

+2
source

You probably don't need to worry.

If the data is sensitive (for example, a social security number in the United States), then you should probably avoid sending it with a FormsAuth ticket, even if it is encrypted, because attackers always trigger new attacks.

However, I have to ask: you can already store the identifier with each ticket (username), so why not save all the other data in the database?

+1
source

More articles:


All Articles