FormsAuthentication – Storing additional information

May 28, 2010 at 1:45 pm (.NET, ASP.NET)

Here’s my first post under the ASP.NET category!

For the past two days I’ve been struggling to find a good way to store additional information about an authenticated user on my site. I previously stored the information in the Session object, which is not that good according to a lot of people on the web. To make long story short I went to look at other possibilities and the first thing I noticed was that ASP.NET comes with FormsAuthentication out of the box. It does a lot of authentication handling for you. So that’s what I went with.

The first problem that I ran into using FormsAuthentication was that it only offered to store the Username. I wanted to store more than that, such as the User ID. I tried to Google up the problem and after many Google searches I found a solution. Most of the sites that I found discussing the problem were very unclear and not showing the whole picture and that’s what brought me here to blog my solution.

What I did to solve the problem was to use the FormsAuthenticationTicket class. You may probably ask what the purpose of the FormsAuthenticationTicket class is. FormsAuthenticationTicket creates a cookie in your browser to identify an authenticated user. It is the same as doing FormsAuthentication.SetAuthCookie(), except SetAuthCookie cannot store any additional information. That’s where FormsAuthenticationTicket comes in to play; it allows you to store additional information.

So, instead of doing SetAuthCookie, the cookie has to be made manually with the FormsAuthenticationTicket class.
Here’s how to create the cookie manually:

FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,

string encTicket = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
if (rememberMe)
    cookie.Expires = ticket.Expiration;

The second last parameter of the FormsAuthenticationTicket constructor is the userData, that’s where you can put any custom data, such as the User ID in my case. I made the cookie last for 120 minutes (two hours). I will go slightly on how that works. Let’s assume the user log-ins at 13:00, then the cookie will expire at 15:00. Now let’s say the user does nothing for one hour and then he loads a page at 14:00, then the cookie will not expire until 16:00. So the cookie will live as long the user is active within the two hours range.

The static method Encrypt of the FormsAuthentication class is used to encrypt the cookie for security reasons. The cookie expiration has to be the same as the ticket expiration, or else the cookie will not have any persistence between sessions, even though if it is set to true in the FormsAuthenticationTicket constructor. This has to be done if the user wants to be remembered. And finally the cookie is added with Response.Cookies.Add(cookie);

Ok great, now I’ve manually created the authentication cookie, next step is how to retrieve the information.

That’s a very simple process:

if (User != null && User.Identity.IsAuthenticated)
    FormsIdentity identity = (FormsIdentity)User.Identity;
    if (identity.Ticket.UserData.Length > 0)
        int nUserID = Int32.Parse(identity.Ticket.UserData);

I first check if the User is authenticated, and then I cast User.Identity to FormsIdentity to have access to the UserData variable.

Now I can access the User ID and query the User by the User ID.

I hope this helps!


Permalink Leave a Comment