Geek Answers Handbook

Asp.net MVC Is it safe to store sensitive information in a session?

I have a basic authentication system on my MVC website in ASP.NET

[HttpPost] public ActionResult Login(LoginViewModel model, string returnUrl) { WebSecurity.Login(model.UserName, model.Password, persistCookie: false) return RedirectToAction("Index", "Home"); }

I also have a UserInfoViewModel class where I store some user information and I use it on different pages.

To avoid creating a UserInfoViewModel every time I need it, I want to save it in the Session on Login method.

 public ActionResult Login(LoginViewModel model, string returnUrl) { WebSecurity.Login(model.UserName, model.Password, persistCookie: false) var userInfoViewModel = new UserInfoViewModel(); Session["userInfo"] = userInfoViewModel; return RedirectToLocal(returnUrl); }

Given that I have sensitive information that I rely on inside the UserInfoViewModel , such as IsSuperuser , is it possible to save this object in a session? Will it expire when the user login expires?

Decision

System.Security.Principal.IIdentity for this is done. It stores the AUTH cookie user information that you need, so you do not recount it every time.

Use custom video tourion main objects

Thanks for answers!

+4
source share
1 answer

Yes, it is safe because the session is stored on the server. But you have one more problem that you should think about if you decide to use ASP.NET sessions. If this session is stored in the memory of the web server (by default), IIS can re-process your application at any time, and you will lose session data. On the other hand, the user will still be authenticated because he is tracked by cookies of form authentication files that will still be sent. Therefore, if you want to use sessions, I would recommend that you switch to the out-of-line session provider (e.g., StateServer or SQLServer ).

Also, as @Mikeb points out in the comments section, there is another very serious issue with Session. If you enable it for read and write mode for this controller, you will not be able to process multiple requests from the same session in parallel. The server will block and process them sequentially. Think, for example, of several AJAX requests from the same session. All of them will be sequentially blocked and processed.

+7
source

More articles:


All Articles