implementing security with session variables, how it is insecure

Posted by haansi on Stack Overflow See other posts from Stack Overflow or by haansi
Published on 2010-05-05T05:34:38Z Indexed on 2010/05/05 5:48 UTC
Read the original article Hit count: 192

Filed under:

ASP.NET

|

web-applications

|

asp.net-webforms

I am doing web based projects in dotnet. Currently I am implementing security using session variables. I keep current user id and user type in session and authenticate user from these session variables (say Session["UserId"],Session["UserName"] and Session["UserType"]).

Please help me understand how this could be insecure. I've heard that such security can be broken and applications can be hacked very easily, like it is possible to get session id and directly connect to that session id etc.

Please guide me on this.

© Stack Overflow or respective owner

Related posts about ASP.NET

Migrating ASP.NET MVC 1.0 applications to ASP.NET MVC 2 RTM

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
Note: ASP.NET MVC 2 RTM isn’t yet released! But this tool will help you get your ASP.NET MVC 1.0 applications ready for when it is! I have updated the MVC App Converter to convert projects from ASP.NET MVC 1.0 to ASP.NET MVC 2 RTM. This should be last the last major change to the MVC App Converter… >>> More
April 14th Links: ASP.NET, ASP.NET MVC, ASP.NET Web API and Visual Studio

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
Here is the latest in my link-listing blog series: ASP.NET Easily overlooked features in VS 11 Express for Web: Good post by Scott Hanselman that highlights a bunch of easily overlooked improvements that are coming to VS 11 (and specifically the free express editions) for web development: unit… >>> More
Use ASP.NET 4 Browser Definitions with ASP.NET 3.5

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
We updated the browser definitions files included with ASP.NET 4 to include information on recent browsers and devices such as Google Chrome and the iPhone. You can use these browser definition files with earlier versions of ASP.NET such as ASP.NET 3 Read More......(read more) >>> More
ASP.NET webforms + ASP.NET Ajax versus ASP.NET MVC and Ajax framework freedom

as seen on Stack Overflow - Search for 'Stack Overflow'
If given the choice, which path would you take? ASP.NET Webforms + ASP.NET AJAX or ASP.NET MVC + JavaScript Framework of your Choice Are there any limitations that ASP.NET Webforms / ASP.NET AJAX has vis-a-vis MVC? >>> More
ASP.NET MVC 2 Released

as seen on ASP.net Weblogs - Search for 'ASP.net Weblogs'
I’m happy to announce that the final release of ASP.NET MVC 2 is now available for VS 2008/Visual Web Developer 2008 Express with ASP.NET 3.5. You can download and install it from the following locations: Download ASP.NET MVC 2 using the Microsoft Web Platform Installer Download… >>> More

Related posts about web-applications

Modularizing web applications

as seen on Stack Overflow - Search for 'Stack Overflow'
Hey all, I was wondering how big companies tend to modularize components on their page. Facebook is a good example: There's a team working on Search that has its own CSS, javascript, html, etc.. There's a team working on the news feed that has its own CSS, javascript, html, etc… >>> More
Adding AJAX Support to Windows Mobile Web Applications

as seen on Internet.com - Search for 'Internet.com'
In this article, you will learn how you can utilize AJAX scripts even in Web applications targeted for Windows Mobile applications. >>> More
Globalize your Web Applications: The Universal Character Set

as seen on Internet.com - Search for 'Internet.com'
This fourth article the Globalize your Web Applications series deals with something that's at the forefront of your web apps: the character sets. More specifically, we'll be taking a look at the Universal Character Set (UCS) and its role in creating multilingual web pages. >>> More
Globalize your Web Applications: PHP's Locale Formatting Classes

as seen on Internet.com - Search for 'Internet.com'
In part 3 of the Globalize your Web Applications series, we'll be exploring PHP's I18N_Number and I18N_Currency classes, both of which are part of the I18N Libraries. >>> More
Singleton pattern in web applications

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm using a singleton pattern for the datacontext in my web application so that I dont have to instantiate it every time, however I'm not sure how web applications work, does IIS open a thread for every user connected? if so, what would happend if my singleton is not thread safe? Also, is it OK to… >>> More