Encrypting and Decrypting cookie data?

Printable View

May 18th, 2003, 03:13 PM
hellswraith

Encrypting and Decrypting cookie data?

I need to store cookies on the users computer to allow the forums I have created to remember them.

The question I have is, what is a good way to encrypt the information sent with the cookie, and decrypt it when it comes back to the web app? I don't want usernames and passwords traveling over the Interent un-encrypted. How do I encrypt and decrypt information based on a 'phrase' that I choose?

I have been using the built in functionality of the .Net framework, but it seems that I can't get it to remember the user when they come back even though I am expiring the cookie 6 months from the last date the user visits. In case your wondering why I don't use it.
May 20th, 2003, 07:54 AM
PT Exorcist

try maybe using applets?
May 22nd, 2003, 11:23 PM
Lethal

Hellswraith,
Here is the code I use for my authentication. So far, I have not been able to detect any bugs with persisting the user data/roles:

Code:

protected void Application_AuthenticateRequest(Object sender, EventArgs e) { if (Context.Request.IsAuthenticated) { HttpContext context = HttpContext.Current; string roles; string[] userRoles = null; if ((context.Request.Cookies[rolesCookie] == null) || (context.Request.Cookies[rolesCookie].Value == String.Empty)) { roles = String.Join(";", VegaSoft.VSForums.Business.User.GetRolesByUser(context.User.Identity.Name)); FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, context.User.Identity.Name, DateTime.Now, DateTime.Now.AddHours(1), false, roles); context.Response.Cookies[rolesCookie].Value = FormsAuthentication.Encrypt(ticket); context.Response.Cookies[rolesCookie].Expires = DateTime.Now.AddMinutes(5); userRoles = roles.Split(new char[] {';'}); } else { FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(Context.Request.Cookies[rolesCookie].Value); if (ticket.Name != Context.User.Identity.Name) { Context.Response.Cookies[rolesCookie].Expires = DateTime.Now; return; } else { ArrayList rolesList = new ArrayList(); foreach (string role in ticket.UserData.Split(new char[] {';'})) { if (role.Length > 0) { rolesList.Add(role); } } userRoles = (string[]) rolesList.ToArray(typeof(string)); } } context.User = new GenericPrincipal(Context.User.Identity, userRoles); } }

Login:

Code:

private void RegisterUser_Click(object sender, System.EventArgs e) { if (Page.IsValid) { ErrorMsg.Text = String.Empty; VSForums.Business.User usr = new VSForums.Business.User(); usr.UserName = UserName.Text.Trim(); usr.Password = Password.Text.Trim(); if (VSForums.Business.User.ValidateLogin(usr) == Enums.User.LoginUserStatus.InvalidLogin) { ErrorMsg.Text = InvalidCredentialsMsg; } else { FormsAuthentication.SetAuthCookie(UserName.Text, KeepLoggedIn.Checked); string redirectUrl = Page.Request.QueryString["ReturnUrl"]; if (redirectUrl != null) { Page.Response.Redirect(redirectUrl, true); } else { Response.Redirect("/VSForums/index.aspx", true); } } } }
May 23rd, 2003, 12:48 AM
hellswraith

Thanks, I will give it a try later.
May 23rd, 2003, 02:57 AM
PT Exorcist

hmmm i think you cant use the code, there is something missing:

VegaSoft.VSForums.Business.User.GetRolesByUser(context.User.Identity.Name)); in the first piece of code! be aware
May 23rd, 2003, 07:31 AM
Lethal

Quote:

Originally posted by PT Exorcist
hmmm i think you cant use the code, there is something missing:

VegaSoft.VSForums.Business.User.GetRolesByUser(context.User.Identity.Name)); in the first piece of code! be aware

I'm not following you....
[ VegaSoft.VSForums.Business.User ] is a custom class I created, not the user class in class library.
May 23rd, 2003, 09:52 AM
hellswraith

Quote:

Originally posted by PT Exorcist
hmmm i think you cant use the code, there is something missing:

VegaSoft.VSForums.Business.User.GetRolesByUser(context.User.Identity.Name)); in the first piece of code! be aware

I understand I wouldn't be able to just 'drop' it into my code. I will be able to adapt it to my needs. Thanks for looking out though.
May 23rd, 2003, 10:20 AM
Lethal

Ah, I was thinking he was making a suggestion to me. It's was early, cut me some slack..;)
May 23rd, 2003, 10:24 AM
hellswraith

lol,

Have you tested it in all situations? My main problem is persistance:

User logs in, then closes window. Reopen IE, go to site, not logged in anymore.
May 23rd, 2003, 11:33 AM
Lethal

Yes, I have tested it pretty heavily. I think its pretty solid, but since I just said that, I'm sure you'll find something....:D