I have a custom login system, and I will redirect a user to another page after they log in.
I want a simple way to store the fact that a user is logged into the site. Can I just store this in a session variable, like Session["LoggedIn"] = "yes"?
You could use something like session, but there is a built-in authentication framework called forms authentication. It's preferred to use the built in approach as they deal with many of the security issues and then you can leverage the built-in authorization
plumbing as well (rather than reinventing that wheel). All of this should use SSL, so you're good on that front.
The problem is that if initialliy the user is not SSL, but you're still using session (since it's not meant for authentication), the user will get a cookie. So then someone else on the network can steal the cookie.The the user logs in and you switch to SSL
and you now save that flag in your session... the attacker has the cookie and replays it and now your server thinks the attacker is logged in.
So if the cookie is ever sent without SSL then you have this attack vector. Also, make sure than when the browser requests images, CSS and JS the cookie is not sent -- you need to set the HTTPS only flag for the cookies (with <httpCookies requireSSL="true"/>
in web.config)
I will certainly look at the standard authorization next time I build an app like this. Are you talking about the .NET Membership stuff?
Yes and no. The real part of security in ASP.NET is Forms Authentication (or Windows) -- the links I gave you above. Membership is really not the central part of security in the web -- SSL, cookies, XSS, XSRF, etc. are. Membership is really just a database
lookup for credentials and is a minor piece (and often over hyped and misunderstood). The one important piece that membership can potentially address is password management, but even the built in providers don't do this is a modern and most secure way.
If the entire web app(pages and handlers in it) are secured via SSL connection, I think it is surely safe. And using session state is quite common for forms based authentication. Actually, when you use session state in ASP.NET web app, there is a cookie
generated to store the session id which will be transfered between client and server since the client will need to supply this session id cookie later so that the server-side can correctly locate the session states for the proper client. So when using SSL
connection, you actually secure the transfer of those sensitive data such as the session id cookie item.
BTW, in case you want to use ASP.NET built-in forms authentication later, here is a good MSDN article explains how ASP.NET forms authentication works:
hapax_legome...
Member
316 Points
357 Posts
Are sessions secure within SSL?
May 04, 2012 04:05 PM|LINK
I have a custom login system, and I will redirect a user to another page after they log in.
I want a simple way to store the fact that a user is logged into the site. Can I just store this in a session variable, like Session["LoggedIn"] = "yes"?
Is this secure? I'm using SSL on the site.
BrockAllen
All-Star
28134 Points
4997 Posts
MVP
Re: Are sessions secure within SSL?
May 04, 2012 04:29 PM|LINK
You could use something like session, but there is a built-in authentication framework called forms authentication. It's preferred to use the built in approach as they deal with many of the security issues and then you can leverage the built-in authorization plumbing as well (rather than reinventing that wheel). All of this should use SSL, so you're good on that front.
http://msdn.microsoft.com/en-us/library/ff647070.aspx
http://support.microsoft.com/kb/301240
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
hapax_legome...
Member
316 Points
357 Posts
Re: Are sessions secure within SSL?
May 04, 2012 04:39 PM|LINK
But is my plan secure, to use a session?
The login is alread built, so I don't want to rewrite it at this point.
BrockAllen
All-Star
28134 Points
4997 Posts
MVP
Re: Are sessions secure within SSL?
May 04, 2012 04:46 PM|LINK
Sure, if the user is always over SSL.
The problem is that if initialliy the user is not SSL, but you're still using session (since it's not meant for authentication), the user will get a cookie. So then someone else on the network can steal the cookie.The the user logs in and you switch to SSL and you now save that flag in your session... the attacker has the cookie and replays it and now your server thinks the attacker is logged in.
So if the cookie is ever sent without SSL then you have this attack vector. Also, make sure than when the browser requests images, CSS and JS the cookie is not sent -- you need to set the HTTPS only flag for the cookies (with <httpCookies requireSSL="true"/> in web.config)
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
BrockAllen
All-Star
28134 Points
4997 Posts
MVP
Re: Are sessions secure within SSL?
May 04, 2012 04:47 PM|LINK
But, having said all of that above, I'd still rather see you rewrite using the standard, well-established approach :)
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
hapax_legome...
Member
316 Points
357 Posts
Re: Are sessions secure within SSL?
May 04, 2012 04:59 PM|LINK
Thanks for the help.
The user always stays within the same SSL site.
I will certainly look at the standard authorization next time I build an app like this. Are you talking about the .NET Membership stuff?
This app is supposed to be a quick project. "Not enough time to do it right" - you know how it goes ;)
BrockAllen
All-Star
28134 Points
4997 Posts
MVP
Re: Are sessions secure within SSL?
May 04, 2012 05:59 PM|LINK
Yes and no. The real part of security in ASP.NET is Forms Authentication (or Windows) -- the links I gave you above. Membership is really not the central part of security in the web -- SSL, cookies, XSS, XSRF, etc. are. Membership is really just a database lookup for credentials and is a minor piece (and often over hyped and misunderstood). The one important piece that membership can potentially address is password management, but even the built in providers don't do this is a modern and most secure way.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
Steven Cheng...
Contributor
4219 Points
548 Posts
Microsoft
Moderator
Re: Are sessions secure within SSL?
May 07, 2012 02:59 AM|LINK
Hi hapax_legomenon,
If the entire web app(pages and handlers in it) are secured via SSL connection, I think it is surely safe. And using session state is quite common for forms based authentication. Actually, when you use session state in ASP.NET web app, there is a cookie generated to store the session id which will be transfered between client and server since the client will need to supply this session id cookie later so that the server-side can correctly locate the session states for the proper client. So when using SSL connection, you actually secure the transfer of those sensitive data such as the session id cookie item.
BTW, in case you want to use ASP.NET built-in forms authentication later, here is a good MSDN article explains how ASP.NET forms authentication works:
#Explained: Forms Authentication in ASP.NET 2.0
http://msdn.microsoft.com/en-us/library/ff647070.aspx#pagexplained0002_aspnetforms
Feedback to us
Microsoft One Code Framework