-1

Well, i know that the title is not saying much, i am sure that many people is asking that question (I didn't find any).

I am building a new web site with user interface, and when the user login into the web i am giving him a guid into session,

Something like that - Session["User"] = Guid.NewGuid();

So. I am using this User(Session) as my main token into the web, is my way of checking who is he, is he logged in? and hes token to the whole web api.

The question is really simple. How safe is this? because you can get this via simple JavaScript right? but i am not sure if they have any way of getting this (Talking about hackers not the user). and another question, can the user get this?

SO. to make it more simple because my english is probably really bad.

  1. How safe is this?
  2. Can the user get this ?

Thanks alot guys, have a good night.

EDIT --

This is the JavaScript to get the session for thos who ask how to do it 

 <script type="text/javascript">
        GetUserName();
        function GetUserName()
        {

            var username = '<%= Session["User"] %>';
            alert(username );
        }
    </script>
  • 1
    Probably as safe as sessions in any other language? And if you can access the session data with simple javascript, you're doing something wrong ! – adeneo May 03 '15 at 18:18
  • When you want to use ASP.NET WebForms and are worried about security, study how the framework works. You Guid isn't a risk but it is unnecessary. You already have a UserId. – H H May 03 '15 at 18:20
  • Look at the update, Henk can you explain abit more ? –  May 03 '15 at 18:20
  • `<%= %>` means serverside execution. The JavaScript is only accessing a simple string. Use "View Page Source" in your browser. – H H May 03 '15 at 18:21
  • it is designed to be safe. Unless one uses it in an unsafe way. For example do not save password in session and do not render it `<%= Session["Password"] %>` – TarasB May 03 '15 at 18:23
  • Ok, thanks. i got my answer :) –  May 03 '15 at 18:25

2 Answers2

2

The Session is safe. Session data is not stored at the client, but is stored at the server. The only thing accessible from the client is the SessionID stored in the cookie.

The example you show, makes the server print out content of the Session into the output for the client. This will of cause make it "available" to the client.

Emil Ingerslev
  • 4,645
  • 2
  • 24
  • 18
  • Thanks for the answer mate, i hope everyone will answer like you at the first place and not get angry and down vote for new people that join this site. Have a good day, Ty. –  May 03 '15 at 18:24
  • Oh yeah, welcome to SO :) Glad I could help. – Emil Ingerslev May 03 '15 at 18:30
0

Since it is a long enough to be nearly impossible to guess or brute-force attack, it will be safe as long as:

  • Each user gets access to it's own session id only.
  • Session Id used as a Session Id, nothing more. That is, it must expire after a period of time.

And about the guid, it will be quite same thing. Actually what you did is not really needed.

Mehrzad Chehraz
  • 5,092
  • 2
  • 17
  • 28
  • Thanks for the answer mate. do you think i should use userid and not guid?" –  May 03 '15 at 18:26
  • If you use ajax calls, session cookies are send by ajax, so you don't need to use that guid. – Mehrzad Chehraz May 03 '15 at 18:35
  • So what should i use? random number? –  May 03 '15 at 18:39
  • Why do you want an Id or Guid? When you mark a user as Logged In by a let's say Session["LoggedIn"] = true; in the login page, this is stored for that user and subsequent ajax calls from the user sends session id cookie to the server and server page identifes the Session object so Session["LoggedIn"] will be still true. – Mehrzad Chehraz May 03 '15 at 18:42