Security advice needed!

Discussion in 'ASP .Net' started by Smith, Dec 4, 2008.

  1. Smith

    Smith Guest

    Hello Gurus,
    I came accross an asp.net application where access in every restricted page
    is done by checking a session variable to see if it contains a valid user
    object info. This user object info beeing stored when a succesfull login is
    done by checking a list of valid users/password in the database.

    Can someone point out some potential security risk exposed by this method? I
    have the feeling that it doesn't look good but i need to put in scenarios.

    Any comment will be highly appreciated.

    Smith
     
    Smith, Dec 4, 2008
    #1
    1. Advertisements

  2. Smith

    cowznofsky Guest

    We have an app where the user's password gets used multiple times, so
    we encrypt it using
    Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.Cryptographer.EncryptSymmetric
    and save it in a session variable.

    On the other hand, if you're just saving a security level that you
    determined at login, then maybe this isn't information that needs to
    be saved.
     
    cowznofsky, Dec 4, 2008
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.