views:

84

answers:

3

I am writing a web application and for certain actions the user needs to enter a One Time Pin (OTP) - similar to most banking websites.

So I basically need to generate a random string, store it somewhere, send it to the user and then validate the entered pin against the one I stored.

Is it safe to store this generated string in the ASP Session object?

A: 

Session is a server-side collection not accessible on the client (as opposed to cookies / viewstate). It should be free from the client manipulation.

Still, I think you should store these OTPs in the database and compare against those.

Developer Art
Why would you store the OTPs in the database? I just want to do the simplest thing that could possibly work?
Jaco Pretorius
I think that Dokie answered this already ;-)
weismat
What if the user closes the browser, goes to have a cup of tee then return and complete the mission? The session variable will be lost. If this however is exactly what you want then the session will do just fine.
Developer Art
Yeah this is exactly what I want. I'm aware of the issue with using Session in web farms.
Jaco Pretorius
A: 

Just be aware that any in-memory Session data is not transferable to other web servers in a web farm so if this site needs to scale then you might want to put the OTP off the web server. Unless you employ sticky sessions of course.

Dokie
+2  A: 

Don't store the PIN. Hash it (one of the SHA algorithms, preferably with some salt) and store the hash. Then compare the hash of what the user types in to the hash you stored. Then, if your storage (be it in the session object, some database, or whatever) is compromised, the attacker does not learn what the PIN is.

jeffsix
Good idea thanks
Jaco Pretorius