Let me describe my situation:

We are developing a web application that creates websites.

Each website it creates is saved in the DB with all it’s additional information.

When a client is browsing to one of these websites he’s actually browsing the root application, and with the Website ID we know which data to send to the client in which layout- but all comes from the main root web application.

I wish to create a user management & authentication for this system, FOR EACH WEBSITE.

The idea I came with:

Create in the DB Users table that will have a WebsiteID column.

About the authentication, I planned to create some manual functions, that in each user login success, the system creates a cookie in the client’s machine with the WebsiteId, and a random GUID that will be saved in our DB for safety issues (if there was no GUID, a client could manually create a cookie with the websiteId and hack out system).

This is how I planned doing it with the HttpCookie class:

// int websiteId -> the current website id.
// int userId -> the user id from the DB.

HttpCookie cookie = new HttpCookie("WebsiteAuthentication" + websiteId);
cookie.Values["WebsiteId"] = websiteId.ToString();
cookie.Values["UserId"] = userId.ToString();
cookie.Values["Guid"] = "SOME_RANDOM_GUID";

When I will need to check if the current user is authenticated, I will compare the clients cookie (if exists) and the cookie’s GUID vs the GUID is saven in the applications’ DB.

Is this a good way to solve my issue? Is it protected and safe enough?

I’ll be happy to know what you say about it, maybe i’m totally off-course…

Hope I was understandable. Thanks all,

Gal