ASP.NET Authenticaion and Security with Session

Question

I'm building an intranet ASP.net web application that unfortunately cannot use the built-in membership features because all the users and logins are stored on the company database. It will use Windows authentication and match against this.

I'm planning to have my own "users" table in a separate database that will handle access privileges within the application with simple relationships.

On first visit, the application will authenticate them with the company database and then check the local one to see if they are among the valid users (only certain employees will have access). There's no "login" form per se.

Security is very important, but the application is small. Can I safely store a boolean "isLogged" and string "username" in the ASP.net Session object without fear of hijacking, etc? Are there other solutions, or should I validate on each page?

Answer 1

This is not an answer to your question about using session variables to identify logged in users, but I don't believe that any shortcuts should be taken on security. Consider using .Net forms authentication. It may be possible to use the "company database" as your user store for forms authentication. Users who are authorized to access your intranet can be placed in the appropriate roles.

Answer 2

You can easily use Forms authentication by creating an implementation of the Membership and Role providers that will read from your tables.

It will be time much better spent than trying to create a secure authentication system from scratch I think.

This is what the provider model was created for after all.