is session cookie secure enough to store userid?

Question

i am using a session cookie (not a permanent one) to save the user id to know if the user is logged in.

basically, user logs in, we check the credentials, then set a session cookie userID = 37 (for this particular user, another user would have 73 or 69, etc...)

Session.Add("UserID", 37);

my question is, is it possible for the logged in user to somehow change this session cookie from 37 to 73 and thus fool the server into thinking he is actually user 73? if YES, then what am i doing wrong, how to handle this case? it seems insane to put in session user id and password hash and check them EVERY TIME??

we are using this userid value also in queries later to restrict them.

i am sorry if this is not an EXACT code question, but it is very much relevant to my code.

Answer 1

The session cookie contains only the session id. It is used to identify the user. It contains nothing more. The actual information for this session is stored on the server. So this is secure. The user can never change the value that has been stored on the server. The user cannot change his id if you stored this inside the session.

This being said, when dealing with user ids you could consider using forms authentication to track authenticated users instead of reinventing wheels with the Session.

Answer 2

ASP.NET session state provides an important security advantage over client state management techniques in that the actual state is stored on the server side and not exposed on the client and other network entities along the HTTP request path. However, there are several important aspects of session state operation that need to be considered in order to maintain application security. Security best practices fall into three major categories: preventing session ID spoofing and injection, securing the state storage in the back-end, and ensuring session state deployment security in dedicated or shared environments.

Read : Securing Session State