It almost seems secure, but...
I question your logic of assuming the key is expired if it does not decrypt
(and accepting it anyway.)
Another reason the key might not decrypt is if someone has been tampering
with it. A hacker might attempt this. It seems they could put any value at
all into the cookie and then your code would assume it's good (but expired)
and then generate a new one.
--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"A. Elamiri" <abdellahDOTelamiriATclintonDOTedutNOSPAM> wrote in message
news:ej**************@TK2MSFTNGP10.phx.gbl...
I would like to store some Role Information in a cookie since I cannot use
Session in the AuthenticateRequest method.
I thought of encrypting the cookie using Rijndael Algo. for provider. I
would generate a 16 character key store it as a Cached object and replace
it every 20-30 minutes, if the cookie data does not decrypt then simply
reload it because I would assume that key expired.
Is this a secure way of doing it?
--
Abdellah Elamiri
.net Developer
Efficacy through simplicity