Is it safe to store a OTP in the session?

I am writing a web application and for certain actions the user needs to enter a One Time Pin (OTP) - similar to most banking websites.

So I basically need to generate a random string, store it somewhere, send it to the user and开发者_开发问答 then validate the entered pin against the one I stored.

Is it safe to store this generated string in the ASP Session object?

Don't store the PIN. Hash it (one of the SHA algorithms, preferably with some salt) and store the hash. Then compare the hash of what the user types in to the hash you stored. Then, if your storage (be it in the session object, some database, or whatever) is compromised, the attacker does not learn what the PIN is.

Just be aware that any in-memory Session data is not transferable to other web servers in a web farm so if this site needs to scale then you might want to put the OTP off the web server. Unless you employ sticky sessions of course.

Session is a server-side collection not accessible on the client (as opposed to cookies / viewstate). It should be free from the client manipulation.

Still, I think you should store these OTPs in the database and compare against those.