I’m using ASP.NET MVC2 and I need to save user login status to indicate if he is logged in and show some private data.
What I did was just add UserID in session Session.Add("UserID", user.ID.ToString()); and then redirected to user page that is getting UserID string userID = Session["UserID"].ToString(); and if it exists pull out data from DB and show it to user.
As far as I know Session data is stored on server-side so my first thought is that it is pretty safe to use this method. However I checked in Chrome and it is creating some kind of cookie which makes me doubt.
Can someone tell me if this method is safe?
The cookie that is being created (a) is encrypted and (b) does not contain the actual data, but rather a session identifier used to retrieve the proper session for the thread handling the request. It’s a perfectly reasonable and secure way to save the data. I believe that the cookie is HttpOnly by default (you should verify this) and shouldn’t be exposed to scripts in the browser. If it isn’t HttpOnly, you should configure it to be so (using the httpCookies directive) – best practice would dictate that cookies should be HttpOnly unless specifically required for use by the client directly.