BT

Forms Authentication Extensions

| by Jonathan Allen Follow 576 Followers on Jul 12, 2011. Estimated reading time: 2 minutes |

Normally we bring your large and complex frameworks that, even if you could build on your own, you probably wouldn’t want to. But sometimes a simple little library with just a couple of classes can make all the difference. One such example is a project called FormsAuthenticationExtensions.

Even with modern frameworks such as MVC 3, the venerable Forms Authentication is still the recommended security model for public facing web sites. When combined with membership and role providers is it easy to configure and yet also still incredibly flexible. In its simplest mode, Forms Authentication is based on an encrypted cookie that contains the username or id. Any other user information must be accessed in another fashion. Options include:

  • Calling Membership.GetUser, which makes a round-trip to the database when using the default implementation. While certainly doable, it can be tricky to get right and its location in the page lifecycle makes debugging difficult.
  • Storing the extra information in Session, which means you actually have to have session state turned on. This is no problem for small sites, but can be a real problem once you start needing multiple web servers.

FormsAuthenticationExtensions offers a third option. Instead of building a membership cache or setting up a session server you can simply store extra bits of information right in the authentication cookie. Here is an example from a small MVC project I used to test the library. This replaces the default code in the AccountController.LogOn method.

  

//FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);

var ticketData = new NameValueCollection();
ticketData["Name"] = model.UserName; ticketData["Key"] = membershipUser.ProviderUserKey.ToString(); ticketData["Email"] = membershipUser.Email;

new FormsAuthentication().SetAuthCookie(model.UserName, model.RememberMe, ticketData);

A word of warning from the project’s founder:

Size always matters.

The information you store this way is embedded in the forms ticket, which is then encrypted and sent back to the users browser. On every single request after this, that entire cookie gets sent back up the wire and decrypted. Storing any significant amount of data here is obviously going to be an issue. Keep it to absolutely no more than a few simple values.

With no dependencies to speak of, enabling FormsAuthenticationExtensions is as simple as loading the NuGet package and changing a couple lines of code.

If you have any other small but useful libraries that you think people should know about please tell us about them by commenting here or by using the “Contribute News” link at the top of the page.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT