Forms Authentication and Security

I'm creating a web application (C#, MVC3) and trying to figure out the best practice to log a user on. I'm sticking with the built-in FormsAuthentication framework and custom Membership provider to validate a user. But the problem is, there开发者_JAVA百科 are many user information (first name, last name, user id, last login date, etc) I would like to save somewhere for easy access in my code.

First thought was to overload IIdentity and IPrincple but I was reading that they require a database hit every page load. Then I was thinking about cookies, but some posts were saying it is unwise to store sensitive information in them.

Any suggestions would be great.

You can still use FormsAuthentication. Sensitive user information can be stored in FormsAuthenticationTicket.UserData property. And it's safe - the authentication cookie is encrypted by FormsAuthenticationModule after FormsAuthenticationTicket serialization.

I created a class called MiniUserModel in my app that has a few pieces of information I need, including User ID, Name, etc., but nothing super sensitive.

I serialize that instance to JSON, encrypt the JSON string, and write the value out to a Cookie.

This allows me to get access to the data easily on every page view without re-querying the database. Because my object is small, the cookie and resulting request footprint is not adversely affected. This does add "some" overhead for de-crypting and de-serializing on each request, however. (you could profile it to see if it is a problem...in my case it is not).

If you do this approach, it is important that you make sure to update the cookie value when a user changes their information.