tags:

views:

157

answers:

3
+2  Q: 

Int-UserID and Session in ASP.Net unsafe?

Hi,

I am developing my login for my new homepage.

Now I found out, that I must save something like the userID (or another value that i can recognize my user) in the session variable of the browser.

At the moment I use INT for the userID.

So isn't it unsafe to put the userID in the session?

E.g. when I edit my session variable manual from userID 111 to userID 112, than I am logged in as a complete other user?!

+2  A: 

Yes, it is unsafe to rely only on user ID.

You may wish to add a unique authentication token generated and remembered by the server. Also a very simple solution, but it will stop manipulating the user ID since the correct value for authentication token for the other user cannot be guessed.

You also need to submit both user ID and the corresponding authentication token at each request to be jointly validated on the server side, prior to performing the requested operation.

P.S. The above applies if you store this information in cookies which are accessible on the client side and can be manipulated. The viewstate (serialized in pages) can also be manipulated. The session collection is a server-side variable that is not available on the client so it cannot be manipulated. In this later case your user ID should be safe.

I would recommend you to implement the dual system: store the user ID and the token both in cookies and in the session and use the same validation logic (for simplicity). Should cookies be disabled you automatically fallback to using the session without changing your code.

Developer Art  2009-10-23 08:59:10
Thats a very good idea, i think.The each request validation is allready in.Not a simple table with session tokens and userID, right? And compare this before login succeded.
Kovu  2009-10-23 09:12:54
When a user tries to login you validate the username/password and issue a unique validation token that you keep somewhere (in session/cookies). At any later request you check the username/token pair and see if their match. If they do, you proceed to perform the requested operation, otherwise deny access and redirect to the login page.
Developer Art  2009-10-23 09:20:33
Yeah, thats what I understand, but my question is, it is logical right and safe to safe the usserID / token pair in a database table to compare with?
Kovu  2009-10-23 09:25:28
Don't reinvent the wheel. .Net has all this available for you to just use out of the box. Check out: http://msdn.microsoft.com/en-us/library/ms998317.aspx
Arry  2009-10-23 09:30:21
@Kovu: Yes, you store them in the database where else?
Developer Art  2009-10-23 09:41:43
@Kovu: If you wish to allow multiple logins from several computers simultaneously (home/office) you may want to keep several valid tokens and compare against one of them. That's how you're going to design your system.
Developer Art  2009-10-23 09:43:21
+1  A: 

The session variable is not stored in the browser, it is stored on the web server. (Typically anyway.)
A token indicating which session variable to use, is stored in the browser.

So storing the userid in the session variable is fine, as the user has no access to this directly.

If the user were to change the session token, to another one, that would be a problem, but they'd need to know the other token first. (I'm not sure how to do that myself.). (You can further diminish this by using encryption, or other identifies like IPAddresses etc, it's really a case of how secure do you need your website to be?).

Also, if your site needs the user to log in, it's advisable to use https/SSL.

Bravax  2009-10-23 09:09:08
A: 

As Bravax says, the user does not have access to the Session variables (Cookies they do have access to).

If you are worried at all I would use a GUID instead as they are not sequential and nearly impossible to guess.

Also, have you looked at the built in stuff in .Net for authentication? Look at FormsAuthentication.

HTH, Arry

Arry  2009-10-23 09:15:52

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps