views:

2949

answers:

6

What's the best way to authenticate and track user authentication state from page to page? Some say session state, some say cookies?

Could I just use a session variable that has the ID of the user and upon authentication, instatiate a custom User class that has the User's information. Then, on every page, verify the session variable is still active and access basic user data from the User object?

Any thoughts? Any good examples?

+8  A: 

There's no perfect way to do it. If you store it in a cookie you'll take flak that cookies can be stolen. If you store it in the session you'll take flak because sessions can be hijacked.

Personally, I tend to think a session is a little more reliable because the only thing stored on the client is a session key. The actual data remains on the server. It plays the cards a little closer to the chest, if you will. However, that's just my preference, and a good hacker would be able to get past shoddy security regardless.

No matter what you do, don't try to implement this yourself. You'll get it wrong. Use the authentication system provided by your specific platform. You also need to make sure you have adequate security precautions protecting the authentication token.

Joel Coehoorn
that's kind of wrong, because cookies can be hijacked and session can be stolen (as its often implemented as abstraction over plain cookies)
lubos hasko
+1  A: 

I dont know if its THE BEST way to do it, but we are comfortable with the way we do it.

we have a custom user object that we instantiate when the user authenticates, we then use Session to maintain this object across the application.

In some application we combine it with the use of cookies to extend the session continuously.

Victor
A: 

Good info. If using Asp.net, my guess is that I'd be using forms based authentication. However, the data that we're autheticating against is in an external database. Can FBA be configured to pull data from an external data source? All I've used in the past is the simple authentication that FBA brings out of the box.

Bill
For an external database, the asp.net way would be via a memebership provider.
Joel Coehoorn
+6  A: 

The problem with favoring sessions over cookies for 'security' is that sessions USE cookies to identify the user, so any issue with cookies is present with sessions.

One thing to keep in mind with the use of Sessions is data locality. If you plan to scale to more than one webserver at any point, you need to be very careful storing large amounts of data in the session objects.

Since you are using .NET, you will basically have to write your own session store provider to handle this, as InProc won't scale past 1 server, the DB provider is just a bad idea entirely (The whole point is to AVOID DB reads here while scaling, not add more), and the StateServer has a lot of capacity issues. (In the past, I have used a memcached session store provider with some success to combat this issue).

I would google for signed cookies and look into using that instead of either regular cookies or sessions. It solves a lot of the security concerns, and removes the locality issues with sessions. Keep in mind they come back and forth on every request, so store data sparingly.

Todd Berman
You can have cookieless sessions in any platform. .NET offers it our of the box too.
Esteban Araya
A: 

Cookies and Sessions by themselves are not truly sufficient. They are tools to use to track the user and what they do, but you really need to think about using a database to persist information about the user that can also be used to secure the application.

Jeff.Crossett
+2  A: 

Sessions are Cookies...

Shawn Simon