Casa dé Hambone - Do as I say, not as I do

Tuesday, March 06, 2007

« How to use Windows CardSpace with ASP.NE... | Main | My Recommendations for the Ultimate Deve... »

Do as I say, not as I do - use UniqueID, not PPID

There's been a good deal of interest in my last post, How to Use Windows CardSpace with ASP.NET Forms Authentication. I recently went back and reviwed the screencast and noticed that I mistakenly stored the private personal identifier rather than the unique identifier.

If you're using my code as an example, you need to make some minor tweaks:

In Link.aspx.cs, replace the token.Claims property usage with token.UniqueID on line 32
In Login.aspx.cs, replace the token.Claims property usage with token.UniqueID on line 28

Technically you can leave the database changes alone and still use the field named PPID, but it may be desirable to refactor the database and the stored procedures names to reflect the storage of a unique identifier rather than the private personal identifier.

In short, you want to rely upon the unique identifier rather than the private personal identifier for a number of security reasons. Vittorio Bertocci does a great job of explaining the details about why you want to use the UniqueID rather than the PPID in his post UniqueID and PPID.

Tuesday, March 06, 2007 12:05:14 PM (Central Standard Time, UTC-06:00)

Disclaimer | Comments [2] | Tracked by:
"Do as I say, not as I do - use UniqueID, not PPID" (Kevin W. Hammond) [Trackback]

Wednesday, March 14, 2007 5:09:46 AM (Central Standard Time, UTC-06:00)

Thank you very much for this. I was just about to essentially break the existing login mechanisms for my system, now I can see clearly how to get this working with the existing login system.

Can you please post your code? I'm in the process of writing similar stuff and this will save me time.

Much appreciated.