I'm building an intranet ASP.net web application that unfortunately cannot use the built-in membership features because all the users and logins are stored on the company database. It will use Windows authentication and match against this.
I'm planning to have my own "users" table in a separate database that will handle access privileges within the application with simple relationships.
On first visit, the application will authenticate them with the company database and then check the local one to see if they are among the valid users (only certain employees will have access). There's no "login" form per se.
Security is very important, but the application is small. Can I safely store a boolean "isLogged" and string "username" in the ASP.net Session object without fear of hijacking, etc? Are there other solutions, or should I validate on each page?