Is the usage of Isolated Storage in Silverlight 3 a security concern

Question

I am using Silverlight 3 on my website. I have a Login Page for role based authentication, that routes users with different privileges to different parts of the website. I want to use something analogous to the Session Variables available in standard ASP.Net applications.

I intend to use Isolated Storage to achieve this. But I am skeptical about security in this option, as the Isolated Storage exists on the client side, and can be manipulated on client side. I am new to the Isolated Storage concept and don't know about the security options provided by it in terms of Encryption and server-side validation etc. If any of you have used it or are aware of the security provided in this case, could you please shed some light on the same.

Thanks

Answer 1

Here's an idea, why not just use a static instance of a dictionary (to go with a simple example). As you mentioned, silverlight runs on the client side, which means that you don't have to be concerned with other user's state. The dictionary will be persisted as long as the user is using the silverlight app, And every time you go to the page again, the AppDomain will be recreated which is analogous to the user having an empty session state bag re-initialized

Answer 2

Have a look at the Silverlight Database project which implements an Isolated Storage database. The functionality includes compression and encryption.

Answer 3

An alternative solution is provided in this MSDN article - AESManaged Class