1

I have a website that uses Azure Active Directory or Google+ for logging in. I go through an OAuth2 login flow, and the users email along with their tokens are returned to me by their identity service.

The users email address is their identity, and foreign resources (tokens, and other things), are stored using the email address as a foreign key.

Right now I'm saving the users email address in a heavily encrypted string, and when the page loads, I look for a cookie, decrypt it, and find the email address and open that account.

Is this secure? Is there a good pattern for storing the users Identity?

I do not want to force my users to have to login every time they visit the website, but it needs to be secure.

Lighty
  • 2,368
  • 1
  • 23
  • 36
Wesley
  • 113
  • 3

1 Answers1

3

Yes and no.

If done right it will be, but what you are describing is simply an authentication cookie.

I would suggest to not reinvent the wheel. The framework/programming language that you use probably already have a way to manage authentication cookie. I would go with that instead of creating it yourself.

Gudradain
  • 6,921
  • 2
  • 26
  • 43