Is it safe to store only userId using SetAuthCooki

2019-04-09 04:37发布

问题:

I was wondering if it was safe to store only UserId (primary key in the database) in the cookie using FormsAuthentication.SetAuthCookie() and saving it as a persisting cookie?

I've seen a lot of example where people save usernames but this(userId) could be a one or two digit number which would I guess make it even easier to obtain. So my question is should I do it? If not, why and would it be a lot better if I simply saved the username? (which could again be a short name)

回答1:

It is not safe if you store that value unencrypted and then read that value back from the cookie and use it to authenticate the user's identity on subsequent requests (using the username this way would also be insecure).

It is not safe because it is trivial to change the value in the cookie and then users could subsume the identity of another user.

It is safe, however, if you store the User Id in the FormsAuthenticationTicket.UserData and encrypt the ticket.



回答2:

I don't think people could do much with just the UserID (by the sounds of it) or with a primary key in a database