views:

124

answers:

4

I am developing a web application where UserId and RoleId plays a vital role... Is it secure to store these values in session.Someother can be hiddenfield,cookie.. Which is more secured?

Any suggestion for this...

+4  A: 

Session variables are more secure than cookies, because they're on your server, not the user's computer. Sessions aren't perfect though -- they can be hijacked by stealing the session key. Still, this is more difficult to do than just taking a cookie that's been saved on a computer.

Kaleb Brasee
Good point, however packet sniffing could easily identify a session key.
Russell
(intending above point to agree with what you were saying, ignore the "however" :P )
Russell
A: 

Session is definitely more secure than hidden fields or cookies.

The difference is the SESSION values are stored on the SERVER, and hidden fields and cookies are stored on the client.

roman m
A: 

Session would be more secure than a cookie (session is stored in memory on the server, where the cookie goes to the client).

Gabriel McAdams
+5  A: 

Sessions are more secure than cookies and hidden fields because they are kept on the server. Cookies usually shouldn't contain sensitive data, even encrypted, as users have direct access to them. Hidden fields are also sent to the client, but simply not displayed. Therefore, using tools such as FireBug, you can easily display this content.

There are various places you can store the session, such as in memory (if you're not using them much) or have a SQL server maintaining them. You can get more information on sessions here. Sessions are secure because of the fact that they are stored server side.

keyboardP
You can debug session variables on your web server (through Visual Studio for example) through breakpoints, I would argue is easier than Firebug.
Russell
I was assuming the viewpoint of the end user. They could use FireBug to display any hidden fields/cookies that are present on a page.
keyboardP