Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m building a MVC3 application that needs to store secure user information such as userid, username, phone, and email. In my research I see people using the httpcontext object as well storing user objects in session state.
Session["User"] = user;
The previous data being stored in the user object. I’m wondering what the difference is between Session[“”] and HttpContext object is and if either of these methods are a secure way to store this data.
Thanks for your thoughts!
HttpContext.Current.Items is a per-request store. It is not accessible to other users.
Session is a per USER store. It has a bad air surrounding it with performance as the session is locked per that users sessionid for each request, so overlapping requests can have performance issues in waiting for the object to become available.
Both are not available to other users unless in the case of session, someone steals (sniifs on the network) the session id and hijacks that session. Even then the data isn’t accessible unless you have a trace page but keep in mind then the evil user may be able to surf pages as a different user if able to steal that and forms auth token (as just one example)