We are using FormsAuthentication with custom MembershipProvider and custom RolePrivoder. For our Users we have a unique UserName, ID (mssql auto-key) and a GUID (all three unique).
I'm not sure which one to use for the Formsauthentication:
FormsAuthentication.GetAuthCookie(userName, false);
UserName, ID or GUID. Can we even store all three informations as UserData in the FormsTicket.
Per Default Asp.net takes the UserName (e.g. E-Mail adress). But I think UserName is a little bit weak if it is stored on the client. A MSSQL Auto-Key also.
So what is the securest way?
You can serialize and encrypt your UserData object to a string and use that for the cookie.
I answered a similar question about that here: Store user data in MVC 2