i am using a session cookie (not a permanent one) to save the user id to know if the user is logged in.
basically, user logs in, we check the credentials, then set a session cookie userID = 37 (for this particular user, another user would have 73 or 69, etc…)
Session.Add("UserID", 37);
my question is, is it possible for the logged in user to somehow change this session cookie from 37 to 73 and thus fool the server into thinking he is actually user 73?
if YES, then what am i doing wrong, how to handle this case? it seems insane to put in session user id and password hash and check them EVERY TIME??
we are using this userid value also in queries later to restrict them.
i am sorry if this is not an EXACT code question, but it is very much relevant to my code.
The session cookie contains only the session id. It is used to identify the user. It contains nothing more. The actual information for this session is stored on the server. So this is secure. The user can never change the value that has been stored on the server. The user cannot change his id if you stored this inside the session.
This being said, when dealing with user ids you could consider using forms authentication to track authenticated users instead of reinventing wheels with the Session.