Implement secure authentication with authorization in MVC

Question

I need to implement the secure system, in MVC which will recognize that user logged in is followed proper authentication steps.

Can i know which authentication scheme will be better of the following.

1. Form authentication will be using cookie, which in turn get the user details based on the cookie. In form authentication we have advantage that with the cookie available in browser, system will auto login from that.

2. Storing the logged in user information in session and checking that user logged in. But if the session expires we need to logout the system. Suppose the user need to work till entire day, some time user can leave without interaction for 20 mins, system automatically sign-out the user.

3. Storing the logged user details in sql server session which will be having performance issues.

So i need to implement secure and performance oriented scheme which will be maintain user information securely and also have advantages like auto login with cookie.

Primary goal is to maintain which user logged in and he should be authenticated through the system which he is accessing and safely logout the system

Answer 1

The 1-option is not safe because you can pick up the cookie data and insert it into another browser to impersonate the user.

I use the 2-option for example with my website because it has a secure structure. If the browser is closed and opened again the session is destroyed but you can always use it as long as the same browser is open to access your profile without having to log in.

The 3-option has too much editing and processing effort so I wouldn't recommend it.

Maintaining the user would simply fall when you maintain the user data in the database via an admin panel which you create. So you have the possibility to install an ACL system later.