Storing user authentication in Session

Question

When a user logs into my site:

Session["User"] = new User(Name);

To see if a visitor to a page is logged in:

if(Session["User"] != null) {
    //Session["User"].Name is logged in!
}

Is this secure? Does the client have any way of modifying the Session variables?

Aside from Daniel's remark, you might have a look at session hijacking to get an impression how safe a session is and how to protect it: http://stackoverflow.com/questions/2912167/session-hijacking-protection-in-asp-net — Grimace of Despair, May 13 '13 at 18:16
@DanielA.White I didn't even know there was one, I'll do that. — Eric B, May 13 '13 at 18:18

score 0 · Answer 1 · edited May 23 '17 at 12:21

0

Please see my answer here.

The short answer is: forms authentication is much more secure.

edited May 23 '17 at 12:21

Community

answered Oct 08 '13 at 23:40

John Wu

1 Answers1