All geek questions in one place

Storing user id in session variable

When using the login (via open-id), we create a session variable with the name "UID" and store a unique user identifier in it. Later we check the session to see if the user is logged in. I think this is the wrong way, but I could not get the team to change this, because I can not show how this implementation can be hacked. Can someone show me why (if yes) this implementation is bad?

+3
source share
3 answers

I do not see a situation where you should worry about the fact that the Session value on the server side is obtained through an exploit on the client side. There is some concern that fake OpenID providers trick users into submitting credentials due to the lack of status for OpenID, but this is generally unreasonable.

The implementation seems acceptable, but given that you are using ASP.NET, you should consider using IIdentity and this ASP.NET OpenID provider:

http://code.google.com/p/dotnetopenid/

It is well tested and has quite a bit of security code and API support built into it.

+3
source

My first question is: what makes you think that this is not the right way?

, . , / ( ), , " .

. , , .

:

, MVC, , , . . , authorize , , .

+1

Nissan Fan, , .

, , ?

0

Source: https://habr.com/ru/post/1762320/

More articles:


All Articles