Menu
When a use is logged in (Through open-id) we are creating a session variable named "UID" and storing the unique user-id in it. Later we are checking the session to see if the user is logged in. I think this is not the right way, but I could not force the team to change this, as I cannot show how this implementation can be cracked. Can anybody show me why (If yes) this implementation is bad?
571
I can see no situation where you should worry about a server-side Session value being obtained through a client-side exploit. There has been some concern about fake OpenID providers tricking users into passing credentials because of the lack of stature to OpenID, but generally it's unwarranted.
The implementation seems acceptable, but given that you are using ASP.NET you should consider using IIdentity and this ASP.NET OpenID provider:
http://code.google.com/p/dotnetopenid/
It's well tested and has quite a bit of security code and API support built into it.
108
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
