Encryption Key/Cache

[A. Elamiri]

I would like to store some Role Information in a cookie since I cannot use
Session in the AuthenticateRequest method.

I thought of encrypting the cookie using Rijndael Algo. for provider. I
would generate a 16 character key store it as a Cached object and replace it
every 20-30 minutes, if the cookie data does not decrypt then simply reload
it because I would assume that key expired.

Is this a secure way of doing it?

 

[Steve C. Orr [MVP, MCSD]]

It almost seems secure, but...
I question your logic of assuming the key is expired if it does not decrypt
(and accepting it anyway.)
Another reason the key might not decrypt is if someone has been tampering
with it. A hacker might attempt this. It seems they could put any value at
all into the cookie and then your code would assume it's good (but expired)
and then generate a new one.

 

[A. Elamiri]

Thanks for the feedback