Forms authentication vs session variable

---

• From: "Bjorn Sagbakken" <bjo-sag@xxxxxxxxx>
• Date: Sat, 12 Apr 2008 10:25:53 +0200

---

In a web-application with login creds (user, pwd), these are checked against
a user table on a SQL server. On a positive validation I have saved the
userID, name, custno and role-settings in a userobject (custom build class)
and added this to the session using as session variable like session["User"]

For all other pages I have added a small test in the page_load event,
basically testing if the session["User"] != null, but also checking if the
User-object contains a UserID != ""
Only if these tests are passed, the user gets the page reguested, otherwise
he is redirected to the login page.

Well, all this works well, and I cannot see any security break here. The
only information that passes between the client and the server is the
sessionID, and this is supposed to be secure.

Still, I have been reading about using forms authentication (Cookie
authentication), and this is also easy implemented. The test in each page is
somewhat similar. But my question is: Is this actually more secure, or is it
just another way to do it?


Bjorn


.

---

• Follow-Ups:
  • RE: Forms authentication vs session variable
    • From: Peter Bromberg [C# MVP]

• Prev by Date: Re: File upload problem
• Next by Date: Re: Page.IsValid changes to false after button click
• Previous by thread: ListView control
• Next by thread: RE: Forms authentication vs session variable
• Index(es):
  • Date
  • Thread

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)