Persistent login implementaion in ASP.NET MVC application

I want to implement the type of authentication that is explained here in an ASP.NET MVC application. http://jaspan.com/improved_persistent_login_cookie_best_practice

My current implementation is having a Users and UserLoginTokens tables:

CREATE TABLE [Users].[Users]
(
Id              int             NOT NULL, 
UserName        nvarchar(30)    NULL,   -- Not unique. Login by Email.
Email           nvarchar(100)   NOT NULL, 
PasswordHash    nvarchar(512)   NOT NULL,
PasswordSalt    nvarchar(512)   NOT NULL,
)
CREATE TABLE [Users].[UserLoginTokens]
(
Id          int             NOT NULL,
UserId      int             NOT NULL,
Token       varchar(16)     NOT NULL,
Series      varchar(16)     NOT NULL,
)

After the user is log in, he issued a User cookie with the content: t=@Token&s=@Series.

Now, I have PersistentLoginModule that search for this cookie each request, validate t开发者_StackOverflowhat the Token and Series are valid build the user from it.

My questions:

1. In order to implement this, is it good idea to implement my own authentication module and don't use the FormsAuthentication at all?

2. Should I validate the token against the DB in each request?

3. When should I discard the old Token and issued to user a new one?

4. Regarding the implementation of the DB, if I understand it correctly the Series is always the same, for a given user. If so, maybe I should move it to the User table?

Thanks, any help will be very appreciate!

If you're going to build your own Authentication Module, I would recommend still using the FormsAuthentication ticket.

The FormsAuthenticationTicket class has a UserData property that you can use to store additional data.

You can use the static FormsAuthentication.Encrypt(ticket) and FormsAuthentication.Decrypt(ticket) methods to store and retrieve the data set in the cookie.

NO. You don't want to go to the database on every request. You might want to store something like the HASH of the provided evidence in some kind of session variable (after you've verified it against the database). You could then later just recompute the HASH and compare it to the value you've already verified during the current session (to verify that it hasn't been tampered with).

You should definitely do your research on best practices and authentication hacking. The article you linked to is from 2006. There has been lots of changes in web security since then.

Check the source code to the FormsAuthenticationModule to see how the Microsoft implementation works (using something like reflector). You should also make sure that this KB patch is installed http://support.microsoft.com/kb/2416472