Reputation: 2107
Authentication using only session state (no forms authentication cookie)
I have a question connected with security. Is it possible to implement authentication and authorization trough session variables without using forms authentication and forms authentication cookie stored in browser?
How is session id being sent in consecutive requests? Is it stored also in a cookie? What are the drawbacks of using session instead of forms authentication for authentication?
Thank you
Upvotes: 0
Views: 1313
Answers (2)
Reputation: 976
Using user session for authentication is a very bad idea from the security perspective. User session is maintained by a cookie (ASP.NET_SessionId), just like the authentication session (ASPXAUTH). However, ASP.NET has a lot of security safeguards built into the authentication session cookie management, such as encryption, validation, prevention of tampering, etc. None of these measures exist for the user session cookie, which makes it easy to break the site security.
There is absolutely no reason not to use forms authentication, it is actually more difficult to switch to using the session for authentication, because you have to custom code to support it.
Upvotes: 2
Reputation: 2252
Well, you got two questions.
Is it possible to implement authentication and authorization trough session variables without using forms authentication and forms authentication cookie stored in browser?
yes it's possible but we're not supposed to reinvent the wheel especially it is related to security. It's strongly recommended to use form authentication when possible unless you have strongly valid reasons.
How is session id being sent in consecutive requests? Is it stored also in a cookie? What are the drawbacks of using session instead of forms authentication for authentication?
to see the cookie.
step1: Create a new ASP.NET MVC project using internet template. step2: Start it and create a new user and login. step3: Open developer tools check the cookie section you can see two cookies
__RequestVerificationToken
.ASPXAUTH
.ASPXAUTH is the cookie that FormAuthentication consume to do the authentication. For all following requests to the server, the server will check this cookie to authenticate user. You can specify "Remember me" when you login which will changes the life span of this cookie, if you don't tick it the life span is tied up to current session, if you tick it depends on the settings on the server side.
Upvotes: 1
Related Questions
- Cookie Based Authentication
- ASP.NET MVC and using cookieless sessions
- Session and form cookie authorization
- MVC3: C# Forms Authentication and Session State
- MVC3 and Authentication
- asp.net mvc login user using formsauthentication cookieless
- ASP.NET MVC3 Authentication & sessions
- ASP.NET MVC 3 Authentication with cookie less sessions
- Authentication Cookie
- User authentication without Session state in ASP.NET