0

I'm writing a custom membership provider that uses LINQ to manage my users. I'm also creating my own tables to manage a user. How would I login a user using the FormsAuthentication object if I want auth to be cookieless?

Improve this question

2 Answers 2

Reset to default
2

You really want to avoid cookieless session persistence at all costs. It means persistence via the URL which is very vulnerable to session hijacking. Take a look at the example in OWASP Top 10 for .NET developers part 3: Broken authentication and session management.

Are you really confident you have clients authenticating who don't support cookies and you willing to compromise security for these individuals?

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

In regular asp.net IIS manages that for you by inserting the session id in the URL.

By the way this is not the safest approach, as the session can be stolen.

http://msdn.microsoft.com/en-us/library/aa479314.aspx

Improve this answer

1 Comment

Also, using session would be problematic if you're using load balancing servers.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.