asp.net-mvcasp.net-mvc-4securityaccess-tokenformsauthenticationticket

Secure place to store access token in ASP.NET MVC4


I have successfully login to Web Api and I have received "accessToken". Now I need to use that accessToken numerous times to call that public WebApi. Where is the best place to store that accessToken in ASP.NET MVC4 application ?

What if I store accessToken to session? What if I store accessToken to userData in FormsAuthenticationTicket?


Solution

  • APS.NET Session is stored on the server so this is best in terms of security. The user data portion of the forms authentication ticket is also a good place. Forms authentication automatically encrypts the ticket so you should be fine as well. The advantage of the forms authentication cookie is that you don't need to worry about distributed environments. For example if you run in a web farm you will have to use an out-of-proc session state whereas the cookie is on the client. It's really up to you. Both solutions are good enough.