Store password like a plain text in Session ASP .NET MVC

Question

Today I got that question...

Is that a big problem when we store password like a plain text in Session of the ASP .NET MVC?

I know that Session also uses a cookie, but the cookie itself only contains a key. The server uses the key to obtain a dictionary of key/value pairs unique to that session, which stay on the server (or get serialized to the DB, depending on how it's configured).

So is it possible that some hacker can get it somehow?

I need clear answer about it. If it is possible I need some explanation how it could be done. I need it to see possible risky of that approach.

Thank you!

Answer 1

I presume that the password is being stored within session because the application uses it for something. A hacker is not likely to be able to read the password (without owning the web server) but it is possible to attack the session and take it over then use the password via the application.

Two attacks I can think of immediately:

1. Session fixation attack. Hacker starts his own session with your app, notes the session ID, then prepares a specially crafted email which when opened will cause a user to access your site using that session ID. When the user logs on, the hacker will have access to the same session because they have the ID in common.

2. Brute force. The session ID is a 120-bit number. A hacker can continuously poll your site with random session IDs until he finds one that works. It's difficult to guard against this form of attack because ASP does not distinguish between a falsified session ID and a real session ID that has expired.

Answer 2

It is absolutely insecure. There are several methods how attacker can steal user session, e.g. Session fixation, Session sidejacking, Cross-site scripting. You can start your research from Session hijacking article.