implementing security with session variables, how it is insecure

Question

I am doing web based projects in dotnet. Currently I am implementing security using session variables. I keep current user id and user type in session and authenticate user from these session variables (say Session["UserId"],Session["UserName"] and Session["UserType"]).

Please help me understand how this could be insecure. I've heard that such security can be broken and applications can be hacked very easily, like it is possible to get session id and directly connect to that session id etc.

Please guide me on this.

Answer 1

Underneath the hood, standard ASP.NET Forms Authentication basically works the same way you are describing. The insecurity comes mostly from the fact that you are essentially telling ASP.NET "hey, don't worry... I'll handle this." By taking over secuirty concerns, you are deploying the rope by which you will hang yourself(*). Microsoft has invested years of manpower into the ASP.NET framework and it has a fairly robust built-in security system. You should use it.

Aristos is barking up the wrong tree... if someone can steal "one simple cookie" from your user/site then they can break ASP.NET's default security model also. While that's definitely a concern, it's not really the issue here.

*For example, let's say you create a "secure" Page object called MySecurePage which always checks that the user is logged in and validated before executing code. Well, along comes Developer Joe one day and forgets to use MySecurePage and uses Page instead. oops, you've just elminated all the security on this page. This is a simple example, but hopefully you get the idea of how many different ways there are to screw this up.