Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how safe is it to use session variables - asp.net / c#

So basically i'm wondering how safe is my way of using Session variables.

I have a login form where user types his username/password, it gets parametrized then queried, if username/password exists, then a userID is returned from db table. This is unique for every user.

when i have this value, this is where i'm wondering whether this way is safe way of storing the userID inside the session variable uID? anyhow this is how i do it,

Session["uID"] = (int)dt.DefaultView[0]["userID"];  FormsAuthentication.RedirectFromLoginPage(username.Text, false);  Response.Redirect("userPage.aspx", false); 

then the page is redirected to another page where i use the session variable to fetch the users tables from the db.

Thanks in advance for your feedback

like image 269
Mana Avatar asked Nov 19 '12 10:11

Mana


People also ask

Are ASP.NET session variables secure?

Very safe, . NET session variables are not the same as cookie variables which can be viewed from the client side, Session variables in this instance are only accessible from the C# code.

Are session variables safe?

Sessions are significantly safer than, say, cookies. But it is still possible to steal a session and thus the hacker will have total access to whatever is in that session. Some ways to avoid this are IP Checking (which works pretty well, but is very low fi and thus not reliable on its own), and using a nonce.

Can session variables be hacked?

Yes they can be hacked, and this is in fact a very common method of hacking. Someone will hack into the session, then play around with the values of the session variables and try to find one that gives them administrator status or what not. You should program your code to protect you from this.

Is .NET session secure?

Also, Session data is not "secure". True, it exists on the server side, but if anyone gained access to the server they would have access to the public session data. If you were to store credit card info in session you had better encrypt it with an asymetric key at a minimum.


2 Answers

Session state is kept entirely server-side, no matter which storage method you use (in-memory, session state server or database).

So unless your server is hacked, Session variables are safe. And in case your server does get hacked, the hacker would only have access to the data in his own session, unless he finds a way to analyze the IIS process' memory.

like image 94
Roy Dictus Avatar answered Sep 18 '22 14:09

Roy Dictus


Very safe, .NET session variables are not the same as cookie variables which can be viewed from the client side, Session variables in this instance are only accessible from the C# code.

So you can be safe in the knowledge that the Session variable can't be edited by anyone/thing other than the code running the background.

Not fully related to your question, but might be good to know in your case:

You can also store a whole object in the Session, so you could store a user object in session such as

user_Class user = new user_Class(); user.UID = 1; Session["User"] = user; 

Then you load it back in on load of each page.

user_Class user = (user_Class)Session["User"]; 

Then you could get user.UID from session each time.

like image 21
Ryan McDonough Avatar answered Sep 16 '22 14:09

Ryan McDonough