how safe is it to use session variables - asp.net / c#

Question

So basically i'm wondering how safe is my way of using Session variables.

I have a login form where user types his username/password, it gets parametrized then queried, if username/password exists, then a userID is returned from db table. This is unique for every user.

when i have this value, this is where i'm wondering whether this way is safe way of storing the userID inside the session variable uID? anyhow this is how i do it,

Session["uID"] = (int)dt.DefaultView[0]["userID"];

FormsAuthentication.RedirectFromLoginPage(username.Text, false);

Response.Redirect("userPage.aspx", false);

then the page is redirected to another page where i use the session variable to fetch the users tables from the db.

Thanks in advance for your feedback

Answer 1

Session state is kept entirely server-side, no matter which storage method you use (in-memory, session state server or database).

So unless your server is hacked, Session variables are safe. And in case your server does get hacked, the hacker would only have access to the data in his own session, unless he finds a way to analyze the IIS process' memory.

Answer 2

Very safe, .NET session variables are not the same as cookie variables which can be viewed from the client side, Session variables in this instance are only accessible from the C# code.

So you can be safe in the knowledge that the Session variable can't be edited by anyone/thing other than the code running the background.

Not fully related to your question, but might be good to know in your case:

You can also store a whole object in the Session, so you could store a user object in session such as

user_Class user = new user_Class();
user.UID = 1;
Session["User"] = user;

Then you load it back in on load of each page.

user_Class user = (user_Class)Session["User"];

Then you could get user.UID from session each time.

Answer 3

All good until your website outgrows a single server. Then you have to migrate your session provider to a state server or back it off with sql server which ends up being a little sucky.

See http://msdn.microsoft.com/en-us/library/ms178201%28v=vs.80%29.aspx for a comprehensive list of issues around session security.

Answer 4

When it comes to sessions you can very well rest assured that the data is not directly accessible. If for some reason your application ever returns data directly from the session that could potentially be exploited but there's seldom any reason to do this so the risk is fairly minimal.

The riskiest part about sessions comes in the form of session hijacking. See, even though all your data is stored safely on the server we still have that whole "HTTP is stateless" issue to deal with. So some kind of identifier has to be stored on the client so that the server can look up the proper session data. But if somehow another system gets ahold of that ID then they can pretend to be you for as long as the server keeps the session active.

Aside from continuously addressing any cross site scripting potential in your website there isn't really much you can do about this without a secure connection. Even then it can be improperly implemented.

Answer 5

You are still vulnerable even if YOU SERVER IS NOT COMPROMISED session can be easily hijack by using MITM Attack and when an attacker gets your session he can do anything what you can do.

You can use techniques to avoid session hijack but remember you are still vulnerable if there is a coding problem or etc which leave your application vulnerable.

Using SSL

SSL your site

Generate Hash

Protecting Session