Home/ Questions/Q 6160693
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T21:20:55+00:00

This is more of a general question rather than a specific problem. I’m coding

  • 0

This is more of a general question rather than a specific problem.

I’m coding an asp.NET with C# Website with user login and admin controls etc and I obviously want the website to be as secure as possible because if someone accessed the admin side they could potentially drop all sql tables etc.

Therefore im asking for a bit of guidance in terms of how to make sure my website is secure. I’ve found a few posts on google and stuff but not really found anything worth reading. If anyone can redirect me to a decent post. Or just warn me of any measures I have not taken into consideration.

What I’ve done so far is:

When a user/admin enters their login details. It is authenticated using sql connections to retieve usernames and passwords from the database, if they exist, a session is created using the users uniqueID using Session[“_userID”] = id;

This is the ONLY place in the entire website where a session is created.

On ALL the pages that have any type of Restriction, On the page load, the first piece of code that runs checks if the Session[“_userID”] Exists. If it exists, it loads the page as usual, if not, it Purely redirects to the login page.

if (Session["_userID"] == null)
{
    Response.Redirect("login.aspx");
}
// rest of page loads

If not sure if this is easily hackable or even secure.

The only time a session id destroyed is when it either runs out, or the user logs out. using: 

Session.Abandon();

these are pretty much the only security measures in place.

Is This Enough?

My Website Needs to be HACK PROOF

Thanks for reading!

Alex

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Firstly, make sure there is no ability whatsoever for anyone – website admin or not – to drop tables from your database via a web UI. Have a look at the section about “Applying the principle of least privilege” in here.

    Secondly, stop writing your own authentication and authorisation schemes, all the hard work has been done for you already and it’s just a few clicks away in the membership provider. This will do everything you’re asking for any many things you haven’t mentioned but probably should have such as proper salting and hashing of passwords. Have a look at “Using the ASP.NET membership provider” in this post.

    Finally, you’re not “hack proofing” your website, you’re simply increasing the level of difficulty to the point where it becomes highly unlikely. If you’re serious about security, I suggest reading through this series about The OWASP Top 10 for .NET developers. Good luck!

    • 0