Encrypting and Decrypting cookie data?

[hellswraith]

I need to store cookies on the users computer to allow the forums I have created to remember them.

The question I have is, what is a good way to encrypt the information sent with the cookie, and decrypt it when it comes back to the web app? I don't want usernames and passwords traveling over the Interent un-encrypted. How do I encrypt and decrypt information based on a 'phrase' that I choose?


I have been using the built in functionality of the .Net framework, but it seems that I can't get it to remember the user when they come back even though I am expiring the cookie 6 months from the last date the user visits. In case your wondering why I don't use it.

[PT Exorcist]

try maybe using applets?

[Lethal]

Hellswraith,
Here is the code I use for my authentication. So far, I have not been able to detect any bugs with persisting the user data/roles:

Code:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
    if (Context.Request.IsAuthenticated) {	
	HttpContext context = HttpContext.Current;
	string roles; string[] userRoles = null;
	if ((context.Request.Cookies[rolesCookie] == null) || (context.Request.Cookies[rolesCookie].Value == String.Empty)) {
	    roles = String.Join(";", VegaSoft.VSForums.Business.User.GetRolesByUser(context.User.Identity.Name));
	    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, context.User.Identity.Name, DateTime.Now, DateTime.Now.AddHours(1), false, roles);
	    context.Response.Cookies[rolesCookie].Value = FormsAuthentication.Encrypt(ticket);
	    context.Response.Cookies[rolesCookie].Expires = DateTime.Now.AddMinutes(5);	
	    userRoles = roles.Split(new char[] {';'});
	}
	else {
	    FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(Context.Request.Cookies[rolesCookie].Value);
	    if (ticket.Name != Context.User.Identity.Name) {
		Context.Response.Cookies[rolesCookie].Expires = DateTime.Now; return;						
	    }
	    else {
		ArrayList rolesList = new ArrayList();
		foreach (string role in ticket.UserData.Split(new char[] {';'})) {
		    if (role.Length > 0) {
		        rolesList.Add(role);
		    }
		}
		userRoles = (string[]) rolesList.ToArray(typeof(string));						
	    }
	}
	context.User = new GenericPrincipal(Context.User.Identity, userRoles);		 
    }		
}

Login:

Code:

private void RegisterUser_Click(object sender, System.EventArgs e) 
{
    if (Page.IsValid) {
	ErrorMsg.Text = String.Empty;
	VSForums.Business.User usr = new VSForums.Business.User();
	usr.UserName = UserName.Text.Trim();
	usr.Password = Password.Text.Trim();
	if (VSForums.Business.User.ValidateLogin(usr) == Enums.User.LoginUserStatus.InvalidLogin) {
	    ErrorMsg.Text = InvalidCredentialsMsg;
	}
	else {
	    FormsAuthentication.SetAuthCookie(UserName.Text, KeepLoggedIn.Checked);
	    string redirectUrl = Page.Request.QueryString["ReturnUrl"];
	    if (redirectUrl != null) {
		Page.Response.Redirect(redirectUrl, true);
	    }
	    else {
		Response.Redirect("/VSForums/index.aspx", true);		
	    }						
	}
    }
}

[hellswraith]

Thanks, I will give it a try later.

[PT Exorcist]

hmmm i think you cant use the code, there is something missing:

VegaSoft.VSForums.Business.User.GetRolesByUser(context.User.Identity.Name)); in the first piece of code! be aware

[Lethal]

Originally posted by PT Exorcist
hmmm i think you cant use the code, there is something missing:

VegaSoft.VSForums.Business.User.GetRolesByUser(context.User.Identity.Name)); in the first piece of code! be aware

I'm not following you....
[ VegaSoft.VSForums.Business.User ] is a custom class I created, not the user class in class library.

[hellswraith]

Originally posted by PT Exorcist
hmmm i think you cant use the code, there is something missing:

VegaSoft.VSForums.Business.User.GetRolesByUser(context.User.Identity.Name)); in the first piece of code! be aware

I understand I wouldn't be able to just 'drop' it into my code. I will be able to adapt it to my needs. Thanks for looking out though.

[Lethal]

Ah, I was thinking he was making a suggestion to me. It's was early, cut me some slack..

[hellswraith]

lol,

Have you tested it in all situations? My main problem is persistance:

User logs in, then closes window. Reopen IE, go to site, not logged in anymore.

[Lethal]

Yes, I have tested it pretty heavily. I think its pretty solid, but since I just said that, I'm sure you'll find something....