how safe is it to use session variables - asp.net / c#

Question

So basically i'm wondering how safe is my way of using Session variables.

I have a login form where user types his username/password, it gets parametrized then queried, if username/password exists, then a userID is returned from db table. This is unique for every user.

when i have this value, this is where i'm wondering whether this way is safe way of storing the userID inside the session variable uID? anyhow this is how i do it,

Session["uID"] = (int)dt.DefaultView[0]["userID"];  FormsAuthentication.RedirectFromLoginPage(username.Text, false);  Response.Redirect("userPage.aspx", false); 

then the page is redirected to another page where i use the session variable to fetch the users tables from the db.

Thanks in advance for your feedback

Answer 1

Session state is kept entirely server-side, no matter which storage method you use (in-memory, session state server or database).

So unless your server is hacked, Session variables are safe. And in case your server does get hacked, the hacker would only have access to the data in his own session, unless he finds a way to analyze the IIS process' memory.

Answer 2

Very safe, .NET session variables are not the same as cookie variables which can be viewed from the client side, Session variables in this instance are only accessible from the C# code.

So you can be safe in the knowledge that the Session variable can't be edited by anyone/thing other than the code running the background.

Not fully related to your question, but might be good to know in your case:

You can also store a whole object in the Session, so you could store a user object in session such as

user_Class user = new user_Class(); user.UID = 1; Session["User"] = user; 

Then you load it back in on load of each page.

user_Class user = (user_Class)Session["User"]; 

Then you could get user.UID from session each time.