Reputation: 3981
is session cookie secure enough to store userid?
i am using a session cookie (not a permanent one) to save the user id to know if the user is logged in.
basically, user logs in, we check the credentials, then set a session cookie userID = 37 (for this particular user, another user would have 73 or 69, etc...)
Session.Add("UserID", 37);
my question is, is it possible for the logged in user to somehow change this session cookie from 37 to 73 and thus fool the server into thinking he is actually user 73? if YES, then what am i doing wrong, how to handle this case? it seems insane to put in session user id and password hash and check them EVERY TIME??
we are using this userid value also in queries later to restrict them.
i am sorry if this is not an EXACT code question, but it is very much relevant to my code.
Upvotes: 7
Views: 2428
Answers (4)
Reputation: 203829
As the other answers have noted, the actual value (37 in the example) is stored on the server, not the client, but that doesn't mean that you're immune to potential attacks. This mechanism is still vulnerable to cross site scripting attacks. Basically, what is stored on the client's cookie is some big long identifier. If someone other than the actual user gets ahold of that identifier they can put that in a cookie of their own and essentially pretend to be that user. You can research cross site scripting more on your own (I'm not an expert on the subject) to see some of the common ways that a malicious user will attempt to look at other users' cookies and to try to set it as their own, along with ways of defending against such attacks (some of which I'm sure will be done for you by browsers and ASP).
Upvotes: 0
Reputation: 176896
ASP.NET session state provides an important security advantage over client state management techniques in that the actual state is stored on the server side and not exposed on the client and other network entities along the HTTP request path. However, there are several important aspects of session state operation that need to be considered in order to maintain application security. Security best practices fall into three major categories: preventing session ID spoofing and injection, securing the state storage in the back-end, and ensuring session state deployment security in dedicated or shared environments.
Read : Securing Session State
Upvotes: 3
Reputation: 8433
That isn't the cookie, and is perfectly safe as it cannot be changed by the user. The only thing stored on the server side in a cookie is the session ID.
Upvotes: 2
Reputation: 1038810
The session cookie contains only the session id. It is used to identify the user. It contains nothing more. The actual information for this session is stored on the server. So this is secure. The user can never change the value that has been stored on the server. The user cannot change his id if you stored this inside the session.
This being said, when dealing with user ids you could consider using forms authentication to track authenticated users instead of reinventing wheels with the Session.
Upvotes: 7
Related Questions
- How to secure the ASP.NET_SessionId cookie?
- Is storing login and password hash in session secure?
- Does storing the username in the session['user'] safe? c# asp.net
- Cookie safety issues
- How to save the userID in the login cookie?
- storing user ID in session
- Is it safe to store only userId using SetAuthCookie() in ASP.NET
- Storing user-id in session variable
- Can I make my ASP.NET FormsAuthentication cookie more secure by associating it with the session ID?
- Holding userid in ASP.net