ASP.NET and Session State/Login info

Are Session variables (in ASP.NET) the safest way to store data relating to whether a user is logged in or not? i.e. Session["LoggedIn"] = 'No'

I know Session variables can be spoofed so I assume there must be 开发者_高级运维a safer way.

Any ideas for ASP.NET?

Thanks!

I've never heard about being able to spoof session variables in ASP.Net (or any other platform that i'm aware of.)

You can spoof Form Variables, is that what you are thinking about?

Session variables should be safe to use. Cookies on the otherhand, no.

Sessions are secure in that they run on the server. Therefore, getting hold of them directly is quite difficult. However, that's not to say they are perfectly secure (but what is?). Hackers can still spoof other people by hijacking other sessions. This is called Session hijacking. You can get info on how to reduce the likeliness of it here

They are one of the safest ways of storing data though, so you should use them. But don't forget, if you're using the default in-proc method, the sessions will be stored in memory. If you hold too much data, your memory will be consumed quickly. For large amounts of data, consider storing sessions in a database or an external session-dedicated server.

This is the answer your are looking for

@V-Man you only have a few options being that your solution is stateless. One is sessions, and as long as you are not creating a huge web based system that is not spread across multiple web servers then session variables is your best bet. The other wya to do this is to cache the results.

Sessions are fine to use but do keep in mind that if you go to mutliple servers it can become and issue.

Normally you can tell if someone is logged in just by checking the following assuming your using forms or windows authentication:

HttpContext.Current.User

I also have stored extended information in the sessin for the user that I might need to access often such as their profile that could contain stuff like full name, email, access level, etc...