RE: Forms authentication vs session variable

If you are using forms authentication, you would normally attach the user
object to the forms authentication ticket in Application_AuthenticateRequest
(which fires for every page request). This then becomes available on any page
in the User property; there is no need to store it in Session. You can find
plenty of good sample code on how to do this including adding the user Roles
to the ticket.
-- Peter
Site: http://www.eggheadcafe.com
UnBlog: http://petesbloggerama.blogspot.com
Short Urls & more: http://ittyurl.net


"Bjorn Sagbakken" wrote:

In a web-application with login creds (user, pwd), these are checked against
a user table on a SQL server. On a positive validation I have saved the
userID, name, custno and role-settings in a userobject (custom build class)
and added this to the session using as session variable like session["User"]

For all other pages I have added a small test in the page_load event,
basically testing if the session["User"] != null, but also checking if the
User-object contains a UserID != ""
Only if these tests are passed, the user gets the page reguested, otherwise
he is redirected to the login page.

Well, all this works well, and I cannot see any security break here. The
only information that passes between the client and the server is the
sessionID, and this is supposed to be secure.

Still, I have been reading about using forms authentication (Cookie
authentication), and this is also easy implemented. The test in each page is
somewhat similar. But my question is: Is this actually more secure, or is it
just another way to do it?


Bjorn



.