Security advice needed!

[Smith]

Hello Gurus,
I came accross an asp.net application where access in every restricted page
is done by checking a session variable to see if it contains a valid user
object info. This user object info beeing stored when a succesfull login is
done by checking a list of valid users/password in the database.

Can someone point out some potential security risk exposed by this method? I
have the feeling that it doesn't look good but i need to put in scenarios.

Any comment will be highly appreciated.

Smith

 

[cowznofsky]

Hello Gurus,
I came accross an asp.net application where access in every restricted page
is done by checking a session variable to see if it contains a valid user
object info. This user object info beeing stored when a succesfull login is
done by checking a list of valid users/password in the database.

Can someone point out some potential security risk exposed by this method? I
have the feeling that it doesn't look good but i need to put in scenarios..

Any comment will be highly appreciated.

Smith

We have an app where the user's password gets used multiple times, so
we encrypt it using
Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.Cryptographer.EncryptSymmetric
and save it in a session variable.

On the other hand, if you're just saving a security level that you
determined at login, then maybe this isn't information that needs to
be saved.