Encryption Key/Cache

Discussion in 'ASP .Net' started by A. Elamiri, Apr 19, 2004.

  1. A. Elamiri

    A. Elamiri Guest

    I would like to store some Role Information in a cookie since I cannot use
    Session in the AuthenticateRequest method.

    I thought of encrypting the cookie using Rijndael Algo. for provider. I
    would generate a 16 character key store it as a Cached object and replace it
    every 20-30 minutes, if the cookie data does not decrypt then simply reload
    it because I would assume that key expired.

    Is this a secure way of doing it?



    --
    Abdellah Elamiri
    ..net Developer
    Efficacy through simplicity
    A. Elamiri, Apr 19, 2004
    #1
    1. Advertising

  2. It almost seems secure, but...
    I question your logic of assuming the key is expired if it does not decrypt
    (and accepting it anyway.)
    Another reason the key might not decrypt is if someone has been tampering
    with it. A hacker might attempt this. It seems they could put any value at
    all into the cookie and then your code would assume it's good (but expired)
    and then generate a new one.

    --
    I hope this helps,
    Steve C. Orr, MCSD, MVP
    http://Steve.Orr.net


    "A. Elamiri" <abdellahDOTelamiriATclintonDOTedutNOSPAM> wrote in message
    news:...
    > I would like to store some Role Information in a cookie since I cannot use
    > Session in the AuthenticateRequest method.
    >
    > I thought of encrypting the cookie using Rijndael Algo. for provider. I
    > would generate a 16 character key store it as a Cached object and replace

    it
    > every 20-30 minutes, if the cookie data does not decrypt then simply

    reload
    > it because I would assume that key expired.
    >
    > Is this a secure way of doing it?
    >
    >
    >
    > --
    > Abdellah Elamiri
    > .net Developer
    > Efficacy through simplicity
    >
    >
    Steve C. Orr [MVP, MCSD], Apr 19, 2004
    #2
    1. Advertising

  3. A. Elamiri

    A. Elamiri Guest

    Thanks for the feedback

    --
    Abdellah Elamiri
    ..net Developer
    Efficacy through simplicity
    "Steve C. Orr [MVP, MCSD]" <> wrote in message
    news:...
    > It almost seems secure, but...
    > I question your logic of assuming the key is expired if it does not

    decrypt
    > (and accepting it anyway.)
    > Another reason the key might not decrypt is if someone has been tampering
    > with it. A hacker might attempt this. It seems they could put any value

    at
    > all into the cookie and then your code would assume it's good (but

    expired)
    > and then generate a new one.
    >
    > --
    > I hope this helps,
    > Steve C. Orr, MCSD, MVP
    > http://Steve.Orr.net
    >
    >
    > "A. Elamiri" <abdellahDOTelamiriATclintonDOTedutNOSPAM> wrote in message
    > news:...
    > > I would like to store some Role Information in a cookie since I cannot

    use
    > > Session in the AuthenticateRequest method.
    > >
    > > I thought of encrypting the cookie using Rijndael Algo. for provider. I
    > > would generate a 16 character key store it as a Cached object and

    replace
    > it
    > > every 20-30 minutes, if the cookie data does not decrypt then simply

    > reload
    > > it because I would assume that key expired.
    > >
    > > Is this a secure way of doing it?
    > >
    > >
    > >
    > > --
    > > Abdellah Elamiri
    > > .net Developer
    > > Efficacy through simplicity
    > >
    > >

    >
    >
    A. Elamiri, Apr 19, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gary Chamberlain

    Override the Encryption Key for Forms Auth

    Gary Chamberlain, Aug 27, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    318
    Gary Chamberlain
    Aug 27, 2003
  2. Larry Grant

    public key encryption javax.crypto

    Larry Grant, May 7, 2004, in forum: Java
    Replies:
    6
    Views:
    887
    Roedy Green
    May 8, 2004
  3. robi
    Replies:
    8
    Views:
    5,017
  4. A. Elamiri

    Cache Dependent Key/Encryption

    A. Elamiri, Apr 19, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    185
    A. Elamiri
    Apr 19, 2004
  5. M P
    Replies:
    1
    Views:
    456
Loading...

Share This Page