1

I am new to MVC and I have written my application incorrectly and I am trying to work out how to do it properly.

It's a pretty normal situation where the system is accessed by username & password.

Currently, based on this, I have populated a static "network object" as it is needed for every subsequent call to an API to retrieve data.

But, as you have probably know, and I have just realised, this means other people are being automatically logged in as I store a

public static bool LoggedIn { get; set; }

I also have a class which stores sensitive data as follows:

public static NetworkInfo networkstuff { get; set; }

Which contains:

public class NetworkInfo
{
    public string baseUrl { get; set; }
    public string userName { get; set; }
    public string userPassword { get; set; }
    public Proxy proxyInfo { get; set; }
}

I need to make this information available across all controllers to avoid having to regenerate it every time I call the API.

But, the only way I can find to do it is using a Session variable. And when I read about Session variables it tells me NOT to store sensitive information in it.

Is there a more correct way of doing this?

Trevor Daniel
  • 3,785
  • 12
  • 53
  • 89
  • _"And when I read about Session variables it tells me NOT to store sensitive information in it."_ - where did you read that? – CodeCaster Mar 14 '15 at 11:46
  • the second comment to the answer on this page http://stackoverflow.com/questions/14138872/how-to-use-sessions-in-an-asp-net-mvc-4-application – Trevor Daniel Mar 14 '15 at 11:50
  • I quote: "Lastly DON'T store sensitive data to a session such as Password or Credit card number" – Trevor Daniel Mar 14 '15 at 12:01
  • Avoid using static properties in MVC, they are not thread safe ([refer Darin's anwer here](http://stackoverflow.com/questions/14225113/asp-net-mvc-how-safe-are-static-variables) for an explanation). And never store a password in you app. –  Mar 14 '15 at 12:02
  • Sorry, I read the wrong comment. Well that's one user saying that, without explaining why you shouldn't. – CodeCaster Mar 14 '15 at 12:04
  • @StephenMuecke I agree. the problem is that it's not my API and every call requires authentication details with it. – Trevor Daniel Mar 14 '15 at 12:04
  • @Stephen as you can see, OP is working with a proxy server. Those need authentication, and sometimes that authentication is done in plaintext. Hence you need to have the password _somewhere_ in your application. – CodeCaster Mar 14 '15 at 12:04
  • 3
    I guess that leaves `Session` or a custom `IPrincipal` where the additional data is stored in the users `FormsAuthenticationTicket` (and available in each request) as your options. –  Mar 14 '15 at 12:12

1 Answers1

1

I would stick with the ASP.NET membership system as much as possible rather than using a bespoke class to handle authentication.

If you decide to stick with a bespoke class I would use SecureString rather than string for passwords, you could also use a hashing algorithm such as SHA with a salt to secure the passwords rather than sending them as plain text.

Darren
  • 68,902
  • 24
  • 138
  • 144