tags:

views:

84

answers:

3
Q: 

Is it safe to store a OTP in the session?

I am writing a web application and for certain actions the user needs to enter a One Time Pin (OTP) - similar to most banking websites.

So I basically need to generate a random string, store it somewhere, send it to the user and then validate the entered pin against the one I stored.

Is it safe to store this generated string in the ASP Session object?

A: 

Session is a server-side collection not accessible on the client (as opposed to cookies / viewstate). It should be free from the client manipulation.

Still, I think you should store these OTPs in the database and compare against those.

Developer Art  2009-10-26 09:56:37
Why would you store the OTPs in the database? I just want to do the simplest thing that could possibly work?
Jaco Pretorius  2009-10-26 10:02:08
I think that Dokie answered this already ;-)
weismat  2009-10-26 10:16:29
What if the user closes the browser, goes to have a cup of tee then return and complete the mission? The session variable will be lost. If this however is exactly what you want then the session will do just fine.
Developer Art  2009-10-26 10:17:19
Yeah this is exactly what I want. I'm aware of the issue with using Session in web farms.
Jaco Pretorius  2009-10-26 10:27:58
A: 

Just be aware that any in-memory Session data is not transferable to other web servers in a web farm so if this site needs to scale then you might want to put the OTP off the web server. Unless you employ sticky sessions of course.

Dokie  2009-10-26 10:10:15
+2  A: 

Don't store the PIN. Hash it (one of the SHA algorithms, preferably with some salt) and store the hash. Then compare the hash of what the user types in to the hash you stored. Then, if your storage (be it in the session object, some database, or whatever) is compromised, the attacker does not learn what the PIN is.

jeffsix  2009-10-26 23:39:26
Good idea thanks
Jaco Pretorius  2009-10-27 09:30:14

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?