Is it secure to keep my vital information sucher as UserEmailId in session in Asp.net C#

Question

0.00/5 (No votes)

See more:

C#

ASP.NET

session

if No then please Tell me the alternatate way !!!!!!

Thanks in advance .

Posted 26-Feb-13 22:43pm

sr_24

Add a Solution

Comments

Sm.Abdullah 27-Feb-13 4:51am

yes of course it is secure. you can put it into session.
no body can identify the session key or value as it is black box for the world.

José Amílcar Casimiro 27-Feb-13 4:57am

It may be safe or not depends on what is written in the code of the site, and even the IIS configuration.
Conceptually, a session hosted on the server can be safe since the client (html browser) do not have access to the server.
To ensure a better protection of the session variable it can be encrypted, so that if the session is obtained from the data reading is not straightforward.

sr_24 27-Feb-13 5:02am

Actually i am sending UserEmailId's through Response.Redirect(), Parameters ...will it be safe Now ??????

Is there any way to Encrypt my Response.Redirect() parameter values ???

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2013-02-26T22:57:00

Solution 1

Any data you keep in the Session variables does not leave the server, so it is secure from a client point of view - it is not transmitted across the internet provided your code does not do anything like that with it.

Does that make it secure? Depends on your definition of "secure" and how safe you need it to be. Since it is held in the server memory, it may be paged to disk, at which point there is a semi-permanent record. There are also wasy to read the data currently held in memory, and if your hosting service uses a farm or webservers, then the data may well be shared between them with the risks that implies.

But in general use, it's pretty "safe" - certainly more so than cookies or query strings could ever be!

Posted 26-Feb-13 22:57pm

OriginalGriff

Comments

sr_24 27-Feb-13 5:02am

Actually i am sending UserEmailId's through Response.Redirect(), Parameters ...will it be safe Now ??????

Is there any way to Encrypt my Response.Redirect() parameter values ???

OriginalGriff 27-Feb-13 5:19am

"will it be safe Now"
No. Not even slightly. Redirect parameters are transmitted in clear text and shown in teh address bar of the browser.
"Is there any way to Encrypt my Response.Redirect() parameter values"
Well...yes...but...
Encryption requires decryption - which needs the decrypt key. So any code which deals with the encrypted parameters needs to have access to the key to decrypt them. Which means that it's either on the server (in which case it's a waste of time sending them as re-direct parameters) or is on the client, in which case anyone who knows how to right click the mouse can read it.

If you want any security at all, do not let secure information leave the server! Use the session instead.

sr_24 27-Feb-13 5:31am

Ok ...but in some scenario i have to send parameters values to other pages ,then how could i do pass ,if they are VITAL and UNSECURE ...pls suggest sir ..

If i send USerID instead of UserEmail value will it be secure ????

Thanks

OriginalGriff 27-Feb-13 5:49am

If they are pages with your website, then they will share the same Session - so it isn't a problem.
If they are external pages, then you have to send them what they need in the format they require, so you don't have a choice.
If you can send UserID then that is generally more secure, if only becaus eit means nothing to any external application.

What are you trying to do? You may be going about this the wrong way.

sr_24 27-Feb-13 6:07am

Thanks Sir !!! OriginalGriff