Custom session handling in MVC / ASP.NET

Question

I'm using ASP.NET, I use a custom authentication provider that I wrote myself, hashing and salting is in place so it should be relatively secure.

I also implemented a custom auth session mechanism which works like this.

1. User signs in to the web app, the password is verified against the data in the mssql db.
2. A new row is inserted to the 'sessions' table, it contains a reference to the user that is logged on, an authentication token, and an expiry date.
3. The auth token is returned with a cookie , and is stored on the client's computer.
4. The auth token is used to identify the user.

It works perfectly, but I'm not sure it's the right way to go, because I can see the potential security risks, for example if someone hacks into the db and changes the user id, or gets a hold of the auth token, or am I wrong?

P.S. Unfortunately I cannot use the built-in auth/session handling, because our customers requested that, plus we have to support other db engines, such as mysql, oracle/etc, so please don't suggest that :)

Answer 1

I think this is almost secure.

To aleviate your concerns of everything being compromised upon seeing the database, there are some ways around this. If you have no concerns of scaling to multiple servers, you could generate a key on application startup. And then use this key to "sign" each session. So, you could make a hash of something like auth token+server key+expiration and then you could verify this on each request from the session.

As for people being able to steal the auth token, you only have so many options here. For reference, this is called a "replay attack". They're very hard to prevent without making your website annoying (oh you want to open 3 tabs from this one page, you're going to have to sign in because it's a replay) See wikipedia for more info. It highly depends on exactly "how secure" you need to be.