Storing password in forms authentication cookie - ASP.NET and WCF calls

Question

For my web app security I\'m using FormsAuthentication / MembershipProvider with a non persistant cookie.

My application interacts with some web services, these also use

Answer 1

The best practice would be to not require the user to authenticate with his username and password on every request.

Instead, on the first authentication, the web service should return some kind of authentication token. This is what should be stored somewhere. I would recommend storing it in Session state, rather than in the forms authentication ticket.

When the ticket from the web service expires, you might consider expiring the Forms Authentication ticket as well, which would cause the user to need to log in to your site again, providing username and password, which you would validate, and then use to authenticate to the web service again, storing the ticket from the web service, etc.