ASP MVC5 (C#) Securely cache sensitive user information

Question

I need to securely store sensitive user data between posts. I've read numerous posts on the pros&cons of both session and application caching, but still don't have a clear winner.

Here's the scenario: User inputs sensitive information and posts it to the server. He is sent to a read only confirmation screen and asked for an OTP (sent via SMS). Then the data gets posted to the server again. On the second post I need to check that the viewmodel info has not been tampered with and verify the OTP.

So the viewmodel info needs to be cached on the first post, and compared on the second post. This viewmodel contains very sensitive information, so it needs to be stored as securely as possible.

I've though of using session to store an encrypted user data store object, but I'm still not entirely convinced that that would be the best solution?

Advise and guidance on this matter would be greatly appreciated!

Answer 1

If you finally going to store this data in the DB, I assume that you find your DB secure enough for this data. A solution could be storing this data in the DB on the first POST with some additional property that states whether this data is verified (I'll refer to it as IsVerified). Once user verifies the OTP simply set this IsVerified property to true.

Pros of this solution in comparison to session storage are:

1. You don't have to worry about session expiration. (In case that SMS is delayed for example)
2. If you are going to have a load-balancer, you won't be able to use sticky session to store your data which means that you will have to use some more advanced session management.
3. User don't have to submit this sensitive data twice, which means that you don't have to re-validate id.