Home/ Questions/Q 418665
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T18:42:04+00:00

I am developing my login for my new homepage. Now I found out, that

  • 0

I am developing my login for my new homepage.

Now I found out, that I must save something like the userID (or another value that i can recognize my user) in the session variable of the browser.

At the moment I use INT for the userID.

So isn’t it unsafe to put the userID in the session?

E.g. when I edit my session variable manual from userID 111 to userID 112, than I am logged in as a complete other user?!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, it is unsafe to rely only on user ID.

    You may wish to add a unique authentication token generated and remembered by the server. Also a very simple solution, but it will stop manipulating the user ID since the correct value for authentication token for the other user cannot be guessed.

    You also need to submit both user ID and the corresponding authentication token at each request to be jointly validated on the server side, prior to performing the requested operation.

    P.S. The above applies if you store this information in cookies which are accessible on the client side and can be manipulated. The viewstate (serialized in pages) can also be manipulated. The session collection is a server-side variable that is not available on the client so it cannot be manipulated. In this later case your user ID should be safe.

    I would recommend you to implement the dual system: store the user ID and the token both in cookies and in the session and use the same validation logic (for simplicity). Should cookies be disabled you automatically fallback to using the session without changing your code.

    • 0