Int-UserID and session in ASP.Net are insecure?
I am designing my login for my new home page.
Now I found out that I have to store something like the user id (or some other value that my user can recognize) in a browser session variable.
I am currently using INT for the user id.
So, is it not safe to enter a user id in a session?
eg. when i edit the manual of the session variable from user id 111 to user id 112 than i am logged in as a complete different user ?!
source to share
Yes, it is not safe to rely only on the user ID.
You might want to add a unique authentication token generated and remembered by the server. Also a very simple solution, but it will stop manipulating the user id as the correct value for the authentication token for another user cannot be guessed.
You also need to send both user IDs and the corresponding authentication token on each request for joint server side verification prior to performing the requested operation.
PS The above applies if you store this information in cookies available on the client side and can be manipulated. View state (serialized across pages) can also be manipulated. The session collection is a server-side variable that is not available on the client and therefore cannot be manipulated. In this case, your user ID must be secure.
I would recommend that you implement a dual system: store the user id and token in both the cookie and the session, and use the same validation logic (for simplicity). If cookies are disabled, you will automatically opt out of the session without changing the code.
The session variable is not stored in the browser, it is stored on the web server. (As a rule, anyway.) A
token that indicates which session variable to use is stored in the browser.
So, storing the user ID in a session variable is okay as the user doesn't have direct access to it.
If the user needs to change the session token to a different one, that will be a problem, but they will need to find out a different token first. (I'm not sure how to do this myself). (You can further mitigate this by using encryption, or others identify as IPAddresses, etc., is this really a case of how secure your website would be?).
Also, if your site needs a user to login, it is recommended to use https / SSL.
source to share
As Bravax says, the user does not have access to the session variables (the Cookies they have access to).
If you are worried at all, I would use GUIDs instead as they are not consistent and almost impossible to guess.
Also, have you considered an embedded file in .Net for authentication? Have a look at FormsAuthentication.
NTN, Arry
source to share