Where does User.Identity data come from?

Question

For example: if I am retrieving User.Identity.Name, does it come from .ASPXAUTH cookie or is retrieved from the database using my membership provider?

Are any database requests made when I access User.Identity?

Thanks.

---

EDIT: Right now I am pretty sure it comes from an authentication ticket cookie, but can't find any official documentation to confirm this. Anyone?

Answer 1

This should answer your question...

"The forms authentication ticket not only includes the user's identity, but also contains information to help ensure the integrity and security of the token." Excerpted from the following Microsoft article:

http://www.asp.net/security/tutorials/forms-authentication-configuration-and-advanced-topics-vb

In addition to that explanation, observing ASP.NET behavior also supports the conclusion that the username is, in fact, stored in the ASPXAUTH cookie: ASP.NET does NOT hit the database on subsequent page requests after the user has been authenticated. You can prove this yourself, just as I did, by running SQL Profiler to monitor the database as it is used by an ASP.NET application.

Also know that username and authentication ticket data are NOT stored in session state. Aside from raising security concerns, that kind of implementation would cause ASP.NET Membership to break when session state is disabled. Here is another Stack Overflow answer indicating that Forms Authentication (Membership) data and Session State have nothing to do with one another:

Does FormsAuthentication.SetAuthCookie() make a session based cookie?

That answer also links to an MSDN article, here, that explains the ASPXAUTH cookie in detail, though the article I referenced above seems to be more current.

Answer 2

I believe the authentication information are specific to a session and maintained within the ASP.net process or outside or even SQL server. Once a user is authenticated a session token is generated, the token is used to track information of the authenticated user in the state service. On subsequent requests, the session token is used to retrieve user identity and thats where we get pre-populated objects like User.Identity.Name. this must be implmented either in Forms Authentication module or windows authentication module depending on the type of authentication one is using. If you set to cookieless authentication mode, the session token is displayed within the URL. Once the session expires, all the information pertaining to the session is removed from the state service.

Hope this makes it clear!