RE: Forms authentication vs session variable

Discussion in 'ASP .Net' started by Peter Bromberg [C# MVP], Apr 12, 2008.

  1. If you are using forms authentication, you would normally attach the user
    object to the forms authentication ticket in Application_AuthenticateRequest
    (which fires for every page request). This then becomes available on any page
    in the User property; there is no need to store it in Session. You can find
    plenty of good sample code on how to do this including adding the user Roles
    to the ticket.
    -- Peter
    Site: http://www.eggheadcafe.com
    UnBlog: http://petesbloggerama.blogspot.com
    Short Urls & more: http://ittyurl.net


    "Bjorn Sagbakken" wrote:

    > In a web-application with login creds (user, pwd), these are checked against
    > a user table on a SQL server. On a positive validation I have saved the
    > userID, name, custno and role-settings in a userobject (custom build class)
    > and added this to the session using as session variable like session["User"]
    >
    > For all other pages I have added a small test in the page_load event,
    > basically testing if the session["User"] != null, but also checking if the
    > User-object contains a UserID != ""
    > Only if these tests are passed, the user gets the page reguested, otherwise
    > he is redirected to the login page.
    >
    > Well, all this works well, and I cannot see any security break here. The
    > only information that passes between the client and the server is the
    > sessionID, and this is supposed to be secure.
    >
    > Still, I have been reading about using forms authentication (Cookie
    > authentication), and this is also easy implemented. The test in each page is
    > somewhat similar. But my question is: Is this actually more secure, or is it
    > just another way to do it?
    >
    >
    > Bjorn
    >
    >
    >
     
    Peter Bromberg [C# MVP], Apr 12, 2008
    #1
    1. Advertising

  2. Whether you need to change your current application depends on whether you
    are happy with the current level of protection. Consider various security
    threats and see how relevant are they for you.

    There is a known security vulnerability called "Session Hijacking", other
    threats, and there are standard ways of protection. Look here for an
    example:
    How To: Protect Forms Authentication in ASP.NET 2.0
    http://msdn2.microsoft.com/en-us/library/ms998310.aspx

    With forms authentication being the standard approach, you can easier find
    advices on making it more secure.

    ASP.NET membership provider helps you in managing your users and roles. You
    will need to take your own care after UI authorization, but at least you can
    delegate user and role maintenance to ASP.NET.

    --
    Eliyahu Goldin,
    Software Developer
    Microsoft MVP [ASP.NET]
    http://msmvps.com/blogs/egoldin
    http://usableasp.net


    "Bjorn Sagbakken" <> wrote in message
    news:...
    >I know how forms authentication works, at least basically. But since I
    >already have a running application using the session approach as I
    >described, my question is : Is that less safe than using forms
    >authentication? In case yes, I wonder why?
    > (--> meaning: should I modify the running application to raise the level
    > of security?)
    >
    > In the next application I will use forms authentication, but I am a but
    > dubious on using the built-in feature for roles. All the data for the
    > roles will be stored in a SQL database, and the authorization levels will
    > mostly not differ user access to specific webpages, but much more
    > detailed, like enabling buttons and adding menu-selection. So I was
    > thinking of storing these authorization levels in session. But, of course,
    > if there is a dynamical way to use the built-in role feature without
    > hardcoding this into the web.config file, I will certainly consider this.
    >
    > Bjorn
    >
    > "Peter Bromberg [C# MVP]" <> wrote in
    > message news:...
    >> If you are using forms authentication, you would normally attach the user
    >> object to the forms authentication ticket in
    >> Application_AuthenticateRequest
    >> (which fires for every page request). This then becomes available on any
    >> page
    >> in the User property; there is no need to store it in Session. You can
    >> find
    >> plenty of good sample code on how to do this including adding the user
    >> Roles
    >> to the ticket.
    >> -- Peter
    >> Site: http://www.eggheadcafe.com
    >> UnBlog: http://petesbloggerama.blogspot.com
    >> Short Urls & more: http://ittyurl.net
    >>
    >>
    >> "Bjorn Sagbakken" wrote:
    >>
    >>> In a web-application with login creds (user, pwd), these are checked
    >>> against
    >>> a user table on a SQL server. On a positive validation I have saved the
    >>> userID, name, custno and role-settings in a userobject (custom build
    >>> class)
    >>> and added this to the session using as session variable like
    >>> session["User"]
    >>>
    >>> For all other pages I have added a small test in the page_load event,
    >>> basically testing if the session["User"] != null, but also checking if
    >>> the
    >>> User-object contains a UserID != ""
    >>> Only if these tests are passed, the user gets the page reguested,
    >>> otherwise
    >>> he is redirected to the login page.
    >>>
    >>> Well, all this works well, and I cannot see any security break here. The
    >>> only information that passes between the client and the server is the
    >>> sessionID, and this is supposed to be secure.
    >>>
    >>> Still, I have been reading about using forms authentication (Cookie
    >>> authentication), and this is also easy implemented. The test in each
    >>> page is
    >>> somewhat similar. But my question is: Is this actually more secure, or
    >>> is it
    >>> just another way to do it?
    >>>
    >>>
    >>> Bjorn
    >>>
    >>>
    >>>

    >
    >
     
    Eliyahu Goldin, Apr 13, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,495
    Tommy
    Feb 13, 2004
  2. JEFF
    Replies:
    1
    Views:
    1,026
    =?Utf-8?B?YnJpYW5zW01DU0Rd?=
    Nov 12, 2007
  3. chowchho
    Replies:
    7
    Views:
    634
    Patrice
    Mar 28, 2008
  4. Keltex
    Replies:
    1
    Views:
    404
    Dominick Baier [DevelopMentor]
    Jan 24, 2006
  5. Eric
    Replies:
    2
    Views:
    554
Loading...

Share This Page