ASP.Net Store User Data in Auth Cookie

Question

I want to store some data like the user nickname and user ID (table primary key) in the user data section of the auth cookie. The reason I'm doing this is to retain this data when the browser is closed, without having the user relogin.

Edit: Whoops! Realized I'd not explained myself well. I am not trying to reauthenticate a user based on their cookie. The user is already authenticated by ASP.Net's membership system - this part is fine. My problem is that if I want to show the user's nickname, for example, I have to fire off another SQL query, and then store it in the session. I figured it would make sense to store this information in the auth cookie (again, the one already created by ASP.Net) in the UserData section, which seems to have been created for this purpose.

I don't want to use profiles because I have my own user table with profile data, and I needed a lightweight solution.

What is a good way to encode this data in the user data section of the auth cookie? I was thinking serialization, but that might be overkill. Am I going about this the wrong way?

Answer 1

I've written an in depth tutorial on how to do this here:

http://www.danharman.net/2011/07/07/storing-custom-data-in-forms-authentication-tickets/

This maintains the encryption and authentication, and uses json to serialize a class into the UserData field.

Edit:

The blog no longer exists, an archive can be found on the web archive here.

Summary from blog:

Get the existing cookie and auth ticket

HttpResponse response = HttpContext.Current.Response;
bool rememberMe = true;
var cookie = FormsAuthentication.GetAuthCookie(name, rememberMe);
var ticket = FormsAuthentication.Decrypt(cookie.Value);

Define your custom data (make sure this is serializable to json)

var userData = new YourUserClass(...);

Create a new auth ticket with your data, and existing auth ticket settings

var newTicket = new FormsAuthenticationTicket(ticket.Version, 
    ticket.Name, 
    ticket.IssueDate, 
    ticket.Expiration, 
    ticket.IsPersistent, 
    userData.ToJson(), //This is where you'd set your user data
    ticket.CookiePath);
var encTicket = FormsAuthentication.Encrypt(newTicket);

Set your customized ticket into cookie and add to response

cookie.Value = encTicket;
response.Cookies.Add(cookie);

Answer 2

Apparently I was on the right track: http://www.asp.net/learn/security/tutorial-03-vb.aspx (Step 4: Step 4: Storing Additional User Data in the Ticket)

Answer 3

Yes. If you are storing the User ID and Login in the cookie what's stopping someone from changing their cookies to anyone's User ID and Login?

You need to set up an auth ticket system. Basically it's a cookie value that gets checked when no session exists. If a value is present you run that against a ticket table which should contain their User ID. If you find the ticket, give them a session and a new ticket.