Security based on session, what's wrong?

Discussion in 'ASP .Net Security' started by Matt, Apr 27, 2005.

  1. Matt

    Matt Guest

    Hello,

    I'm working on a portal derived from IBuySpy, and I have changed

    I check username and pwd against a database, then I make a
    Session["User"]= UserID (the ID I get from the database, if it
    exists).
    Now I create all the pages based on that ID stored in a session
    variable.
    If that user is authorized to see a certain tab, module or content,
    the page is created that way. All the auth info (user/contents) are
    stored in another database table.

    Everything works fine without use fo forms authentication.
    Is there something wrong with it? should I use forms authentication?
    why?

    Thanks,
    Mattia
     
    Matt, Apr 27, 2005
    #1
    1. Advertising

  2. Matt

    Brock Allen Guest

    You can always go and build your own authentication and authorization mechanism.
    The intent of Forms is that much of the routine checks and identity management
    is done for you. Of course there are pieces you have to fill in, such as
    the login page and the database of usernames/passwords, but the check on
    every page is done for you to see if the user is logged in and if they're
    allowed to access the pages. The cool thing is that this is declarative with
    the <authorization> elements in web.config, and there's typically little
    or no access checks you have to write in your own code.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > Hello,
    >
    > I'm working on a portal derived from IBuySpy, and I have changed
    >
    > I check username and pwd against a database, then I make a
    > Session["User"]= UserID (the ID I get from the database, if it
    > exists).
    > Now I create all the pages based on that ID stored in a session
    > variable.
    > If that user is authorized to see a certain tab, module or content,
    > the page is created that way. All the auth info (user/contents) are
    > stored in another database table.
    > Everything works fine without use fo forms authentication.
    > Is there something wrong with it? should I use forms authentication?
    > why?
    > Thanks,
    > Mattia
     
    Brock Allen, Apr 27, 2005
    #2
    1. Advertising

  3. Matt

    Matt Guest

    Ok, then if I just create my authorization mechanism, and just rely
    from page to page to the Session["IDUser"] to create my page, is not
    less safe than using the Forms authentication mechanism?

    Sometimes I have the feeling that Session (I use InProc) expires
    earlier than the specified n minutes of the web.config (my app found
    Session["IDUser"] empty and resets to the login page)
    I use a sWindows2003 server with IIS6, with multiple asp.net portals
    with the same codebase running on it.
    I know that with forms auth you have to specify different form name
    instead of the default ASPAUTH, is the same for session cookie?

    Thanks,
    Mattia



    >You can always go and build your own authentication and authorization mechanism.
    >The intent of Forms is that much of the routine checks and identity management
    >is done for you. Of course there are pieces you have to fill in, such as
    >the login page and the database of usernames/passwords, but the check on
    >every page is done for you to see if the user is logged in and if they're
    >allowed to access the pages. The cool thing is that this is declarative with
    >the <authorization> elements in web.config, and there's typically little
    >or no access checks you have to write in your own code.
    >
    >-Brock
    >DevelopMentor
    >http://staff.develop.com/ballen
    >
    >
     
    Matt, Apr 27, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Roger Stavcode
    Replies:
    0
    Views:
    432
    Roger Stavcode
    Jan 11, 2004
  2. =?iso-8859-15?Q?Fabr=EDcio_de_Novaes_Kucinskis?=

    Session Variables assigned to the wrong session?

    =?iso-8859-15?Q?Fabr=EDcio_de_Novaes_Kucinskis?=, Jan 20, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    714
    Alvin Bruney [MVP]
    Jan 20, 2005
  3. Robert Faulkner
    Replies:
    0
    Views:
    882
    Robert Faulkner
    Jan 28, 2005
  4. Matt
    Replies:
    2
    Views:
    313
  5. Kursat
    Replies:
    1
    Views:
    322
    Dominick Baier
    May 7, 2007
Loading...

Share This Page