Thoughts about using Session variables for login security?

B

Bobby Edward

I am creating a simple website with a login page and some "admin only"
pages.

In my login page's submit button I just say if the "password is correct"
then...
session("IsAdmin") = True

In my admin only pages I check if session("IsAdmin") = True
If it's NOT then I redirect them to the login.aspx page.

Is this solution pretty solid, or is it easy to hack? I keep the password
in the web.config appsettings section so it's easy to change.

I know I could use Membership stuff, but I'm just doing a simple, quick
website.

Your thoughts are appreciated!
 
J

Jesse Houwing

Hello Bobby,
I am creating a simple website with a login page and some "admin only"
pages.

In my login page's submit button I just say if the "password is
correct"
then...
session("IsAdmin") = True
In my admin only pages I check if session("IsAdmin") = True If it's
NOT then I redirect them to the login.aspx page.

Is this solution pretty solid, or is it easy to hack? I keep the
password in the web.config appsettings section so it's easy to change.

I know I could use Membership stuff, but I'm just doing a simple,
quick website.

Membership is there, membership is quick and membership works out of the
box from the web.config if you need it to.

My experience is that this quick and simple website will run for the coming
20 years and that every time you need to change somthing you hoped you did
it the right way first time round...
 
A

ASF

I've done the same thing in the past. There is one and only quesion
you need to ask: "is this doing what I need it to?" From your post the
answer is "yes," so you're good. But I see you're asking "is it easy
to hack?"

And the answer is a resounding "no." Session variables are stored in
the server's memory. In order to access them a hacker would need to
hack the server itself and gain access to it's memory. If that
happens, having them view your session variables would be the very
least of your concerns.
 
M

Mark Fitzpatrick

I'd look at Jesse's recommendation about using the built-in membership
system in ASP.Net 2.0 if you really want to have some flexibility. You can
then use Roles to manage your users. For administrators, you can create an
Admin role and assign the users to that role. Then all you have to do is
test if the user is in that role. Actually, better yet, you can set the
authorization section of the web.config file so that only certain users or
roles have access to particular files or folders. This let's you tweak
security in a config file without worrying about coding it in every single
page.

Hope this helps,
Mark Fitzpatrick
Microsoft MVP - Expression
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,734
Messages
2,569,441
Members
44,832
Latest member
GlennSmall

Latest Threads

Top