ASP.NET MVC built-in membership vs session -

Subscriptions, impersonators, identities and other goods were just discovered in the last 3 days .. but some are still unclear . Why is it better to use that only log the session in user object at least? It can hold roles, permissions, and other custom properties.

Cookies Go (form etinization.formsukename); If (cookie == blank) return; Boole presentation is; Int Webserid = GetUserId (cookie appears to be outside); // see that the user exists var web user repository = kernel.gate & lt; IWebUserRepository & gt; (); {Web User Current = Web User Repository. Try GETIID (WebSider); // cookie var formAuthor = kernel Get & lt; IFormsAuthService & gt; (); reaction. Add cookies (formsAuth.GetAuthCookie (current, copy is)); Reference. User = current; } Hold (Exception Pre) {// TODO: Logging RemoveAuthCookieAndRedirectToDefaultPage (); }} Private c GetUserId (HTTP cookie cookie, bow out offers) {try {FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt (cookie.Value); Ipyreslist = ticket Return int.Parse (ticket.UserData); } Hold (Exception Pre) {// TODO: Logging RemoveAuthCookieAndRedirectToDefaultPage (); IsPersistent = false; Return -1; }}

Therefore, on every authorized request DB will be required to ask, when using the session, I will only make it once when the user logs in, I know that you Other user data in the role cookie and ticket cookie but I do not think it is safe because an attacker can modify the cookie content, it can move more. ..

So, someone agrees with it?