Reputation:
What to care to secure ASP.NET session variables
I am developing a web application in which I plan to store some values in session variables. I plan to use SessionState service since the main reason I plan to use session variables is to reduce some part of the DB access (there will be at MOST 500 bytes of data per user).
Assuming that the user has their Session ID key, what must I do that the user cannot access the variables that I hide in the Session collection? Also do I need to take care about ViewState (although I plan to turn it off in this app., it would be nice to know)
Upvotes: 0
Views: 773
Answers (3)
Reputation: 91618
The user will only receive a session ID string, which is stored in a cookie. Thus, there is no way they will be able to access individual values within the session object (unless of course those values are rendered out to the page in any way).
With ViewState, the property bag with all the values are serialized to a hidden form field on the page. These can easily be deserialized by any user who cares to look (it's just a simple Base64 serialization). However, ASP.NET does offer the ability to check if these values have been tampered with and also encrypt them with a private key on the server. However, I would advise never putting anything "confidential" into the viewstate regardless. Or, as you mentioned, just turn it off if it's not needed.
Upvotes: 1
Reputation: 1870
As Darin pointed out, you should be ok with the default session implementation but if you wanted to make sure that the data which you store in the session is fully unreadable, you can encrypt it prior to storing it.
Upvotes: 0
Reputation: 1038850
what must I do that the user cannot access the variables that I hide in the Session collection?
Unless the user has root access to your server (which is where the session data is stored) you shouldn't worry too much. But I guess that if the user had root access to your server you would have far bigger problems to worry about than session data.
The client cannot access data which is stored inside the session. Only server side code can access it. So it is up to you to decide what information you want to send to the client. All that the user sees is the session id (which is stored in a cookie), not the actual session data. This id is sent by the user on each request so that the server can find the corresponding data which in your case is stored in the memory of the state server that you have configured.
Upvotes: 2
Related Questions
- ASP.net session variables information required
- how safe is it to use session variables - asp.net / c#
- how safe is it to use session variables? ASP.NET C#
- Session Best Practices
- Keeping User Information in Session in MVC is not Secure
- ASP MVC Session security risks
- Security of sessions in ASP.NET
- Is it secure to store values in session?
- What should I be aware of when using session variables?
- implementing security with session variables, how it is insecure