asp.net session security

If I put some pretty sensitive information in a session variable, how secure is 开发者_Go百科it? Can it be access by a client writing a rogue page and making an ajax call to my application?

Thanks.

If you really need to store that data between requests, then, you should store in the server side.

To store information to use between requests you have these options:

• Hidden Fields: You should never use this to store sensitive information, because the user (or an malicious user) can get that information;
• ViewState: You should avoid to store sensitive information here, but if you really, really really need it, you should encrypt the viewstate;
• Cookies: You should never use this to store sensitive information. Like the Hidden Field, it's easy to see the information inside.
• Session: If you really need to store that data, here is the place you should use. In IT world, there is nothing safe, but this is the safer place to save that information.

I think I didn't forget anything.

In short, because it's stored on the server, it should be safe.

The variable will be safe unless you expose it. You can't just arbitrarily make ajax calls (or any other type of calls) to retrieve session variables. You'd have to be able to write code that executes on the server.

However, if someone is able to hijack your user's session they'd be able to see it on any page you display it (if you do). This security concern isn't restricted to session variables though. If you're worried about this, you might want to use HTTPS.

When dealing with Credit card data you have to be very careful. This is not something you can take lightly as there are all sorts of compliance regulations and laws to consider. Basically, Session is the only place I would consider ... if I did. I would still encrypt it. In truth, however, I would recommend not storing any credit card data if you can help it. There are lots of payment systems out there, and banks provide processing tools as well. If you let the user put it in durring the transaction, keep the entry secure, and store none of it, that is the safest from a legal perspective. You are not bearing risk by keeping the data.

If you MUST keep credit card data see the following PCI regulations: PCI Compliance Guide

Additionally, you may find this guide on secure session usage helpful: ASP.NET Fast, Scalable, Secure Sessions