«

I would like to store some Role Information in a cookie since I cannot use
Session in the AuthenticateRequest method.

I thought of encrypting the cookie using Rijndael Algo. for provider. I
would generate a 16 character key store it as a Cached object and replace it
every 20-30 minutes, if the cookie data does not decrypt then simply reload
it because I would assume that key expired.

Is this a secure way of doing it?



--
Abdellah Elamiri
..net Developer
Efficacy through simplicity

It almost seems secure, but...
I question your logic of assuming the key is expired if it does not decrypt
(and accepting it anyway.)
Another reason the key might not decrypt is if someone has been tampering
with it. A hacker might attempt this. It seems they could put any value at
all into the cookie and then your code would assume it's good (but expired)
and then generate a new one.

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net


"A. Elamiri" <abdellahDOTelamiriATclintonDOTedutNOSPAM> wrote in message
news:...
> I would like to store some Role Information in a cookie since I cannot use
> Session in the AuthenticateRequest method.
>
> I thought of encrypting the cookie using Rijndael Algo. for provider. I
> would generate a 16 character key store it as a Cached object and replace
it
> every 20-30 minutes, if the cookie data does not decrypt then simply
reload
> it because I would assume that key expired.
>
> Is this a secure way of doing it?
>
>
>
> --
> Abdellah Elamiri
> .net Developer
> Efficacy through simplicity
>
>

Thanks for the feedback

--
Abdellah Elamiri
..net Developer
Efficacy through simplicity
"Steve C. Orr [MVP, MCSD]" <> wrote in message
news:...
> It almost seems secure, but...
> I question your logic of assuming the key is expired if it does not
decrypt
> (and accepting it anyway.)
> Another reason the key might not decrypt is if someone has been tampering
> with it. A hacker might attempt this. It seems they could put any value
at
> all into the cookie and then your code would assume it's good (but
expired)
> and then generate a new one.
>
> --
> I hope this helps,
> Steve C. Orr, MCSD, MVP
> http://Steve.Orr.net
>
>
> "A. Elamiri" <abdellahDOTelamiriATclintonDOTedutNOSPAM> wrote in message
> news:...
> > I would like to store some Role Information in a cookie since I cannot
use
> > Session in the AuthenticateRequest method.
> >
> > I thought of encrypting the cookie using Rijndael Algo. for provider. I
> > would generate a 16 character key store it as a Cached object and
replace
> it
> > every 20-30 minutes, if the cookie data does not decrypt then simply
> reload
> > it because I would assume that key expired.
> >
> > Is this a secure way of doing it?
> >
> >
> >
> > --
> > Abdellah Elamiri
> > .net Developer
> > Efficacy through simplicity
> >
> >
>
>