Session based authentication

I am currently using session based authentication for my asp.net website.

1) I would like to know whether it is safe or not to have session based authentication from security purpose.

2) When number of users grows whether too many session slows down the performanc开发者_运维百科e?

3) In case nothing will work out, I end up migrating session based authentication to Forms Authentication, What is safe way to migrate?

so far i have referred this link

http://www.asp.net/general/videos/how-do-i-create-a-custom-membership-provider

I would like to know whether is it safe to have session based authentication from security purpose.

That will depend on how you implemented it, but if you are storing the currently logged in username in the session you should be pretty safe.

When number of users grows whether too many session slow down the performance.

If you are using an In-Memory session provider that would mean that you would be storing inside the memory of your web server all the information about the currently logged in users. Also if the application domain recycles, you will loose all session information and thus all logged in users will automatically be logged out which is not good. This is not scalable solution. You might want to use an out of process session provider if you ever decide to go this path.

In case nothing will work out, I end up migrating session based authentication to Forms Authentication, What is safe way to migrate?

Simply remove all code that relies on session and replace it be using User.Identity.Name to fetch the currently logged in user. Here's a nice overview of forms based authentication. That's the recommended approach for handling authentication in ASP.NET applications.