Is sending Session from javascript safe?

Question

Well, this is a bit weird i think to ask this question, because i am not sure if that's the place to ask that.

OK, into the question..

I have this code

<script>
var session = "<%= Session["User"]%>";
</script>

So, i was thinking, is that safe? let me tell you what i mean..

I have a web api which you can get the name, last name, age and everything about the user with his Session, can i send this web api this session and use it?

Is that a safe thing to do ? in matter of securiy? if not, is there any better way?

EDIT 1:

What am i trying to aaccomplish? simple, i will store the UserId in the session, the UserId will Guid, when the user is loogin in the javascript can send post to an API server to get info, the API will send the UserId from the session.

Is That ok?

Answer 1

Workflow that you describe looks fine. For me it seems safe to use some ID to get more information about some user, especially if this is supposed to be an API, at least, Facebook API uses such principle not being afraid of some hackers :)

My main concern here is the coding style when you try to mix code and view which is not good. If you really need to share some information between client and server sides then I would go with one of these options.

Option # 1 - Cookies

What is the difference between a Session and a Cookie?

You can keep some simple information in a cookie and get it this way :

• Client : $.cookie('ID')
• Server : Response.Cookies["ID"]

In this case there is no need to put in a mess your client side JS with C# code and cookies will be saved on users PC which means that nobody will see them except him.

Option # 2 - Templates

• Server : put all needed information into hidden form or ViewState
• Client : take information from hidden form using HTML selectors

Straight answer :

In general, if you worry only about safety then it is fine to use this code, it should not break security of your site.

Although, personally I do not like this approach because :

• you will mix code and view, MVC was created to split them
• it is not clear where exactly in your view you will put this code and thus it is not clear how you are going to check that this variable was initialized
• it may happen that you will put there some value that will break JS syntax and will cause JS error

In my personal opinion, I would replace it with one of the mentioned options.

Option 1 - MVC + JQuery + Cookie Example

public ActionResult Index()
{
    string demo = Request.QueryString["MyNameSpace.ID"]; // get value from client
    Response.Cookies["MyNameSpace.ID"].Value = "server"; // change value in response
    return View();
}

Then in your JS file :

$(document).ready(function() {            // make sure server rendered page
    var ID = $.cookie('MyNameSpace.ID');  // get cookie value from server
    $.cookie('MyNameSpace.ID', 'client'); // update, on the next request server will get it
});

Option 2 - MVC + JQuery + Templates Example

public class OptionsModel // View Model
{
    public string ID { get; set; }
    public string User { get; set; }
}

public ActionResult Index() // Controller
{
    OptionsModel options = new OptionsModel();
    options.ID = "server";
    return View(options);
}

Your view :

<%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage<OptionsModel>" %>

<%=Html.HiddenFor(m => Model.ID, new { @class = "MyNameSpace:ID" })%>
<%=Html.HiddenFor(m => Model.User, new { @class = "MyNameSpace:User" })%>

Then in your JS file :

$(document).ready(function() {              // make sure server rendered page
    var options = $('[class^=MyNameSpace]') // get values from hidden fields
    options[0] = 'client';                  // update data
    $.ajax({ data : options });             // create handler to send data back to server
});

Examples for Web Forms do not differ significantly.

Answer 2

The code you have posted will be rendered on the page as so when it hits the client (assuming you are using ASP.NET

<script>
     var session = "John Smith";
</script>

This is due to the use of the server side scripting tags <%= %> (https://technet.microsoft.com/en-us/library/cc961121.aspx)

As a note its probably not the best thing in the world to fully expose the session to javascript if that is your intention. At the end of the day it depends what you are storing in there and using it for (but ASP.NET will also use it for certain things) but exposing it just opens another area for someone to attack.

http://www.owasp.org is a great place to learn more about securing your website.