Web authentication state – Session vs Cookie?

by

The problem with favoring sessions over cookies for ‘security’ is that sessions USE cookies to identify the user, so any issue with cookies is present with sessions.

One thing to keep in mind with the use of Sessions is data locality. If you plan to scale to more than one webserver at any point, you need to be very careful storing large amounts of data in the session objects.

Since you are using .NET, you will basically have to write your own session store provider to handle this, as InProc won’t scale past 1 server, the DB provider is just a bad idea entirely (The whole point is to AVOID DB reads here while scaling, not add more), and the StateServer has a lot of capacity issues. (In the past, I have used a memcached session store provider with some success to combat this issue).

I would google for signed cookies and look into using that instead of either regular cookies or sessions. It solves a lot of the security concerns, and removes the locality issues with sessions. Keep in mind they come back and forth on every request, so store data sparingly.

More Related Contents:

  1. Can some hacker steal a web browser cookie from a user and login with that name on a web site?
  2. Asp.Net Forms Authentication when using iPhone UIWebView
  3. asp.net cookies, authentication and session timeouts
  4. Where to store JWT in browser? How to protect against CSRF?
  5. What are all the user accounts for IIS/ASP.NET and how do they differ?
  6. What is the App_Data folder used for in Visual Studio?
  7. Adding ASP.NET MVC5 Identity Authentication to an existing project
  8. What is default hash algorithm that ASP.NET membership uses?
  9. How serious is this new ASP.NET security vulnerability and how can I workaround it?
  10. How do I protect static files with ASP.NET form authentication on IIS 7.5?
  11. Chrome localhost cookie not being set
  12. X-Frame-Options Allow-From multiple domains
  13. Asp.net Identity password hashing
  14. MVC 5 Access Claims Identity User Data
  15. Store/assign roles of authenticated users
  16. Preventing CSRF with the same-site cookie attribute
  17. Session Fixation in ASP.NET
  18. Redirect to a page with endResponse to true VS CompleteRequest and security thread
  19. How to Customize ASP.NET Web API AuthorizeAttribute for Unusual Requirements
  20. Sharing cookies across different domains and different applications (classic ASP and ASP.NET)
  21. Is there a browser equivalent to IE’s ClearAuthenticationCache?
  22. Cannot use a leading ../ to exit above the top directory
  23. How to limit page access only to localhost?
  24. Allow anonymous authentication for a single folder in web.config?
  25. How to manually decrypt an ASP.NET Core Authentication cookie?
  26. set cookie to expire at end of session? asp.net
  27. Why do ASP.NET JSON web services return the result in ‘d’?
  28. Cache VS Session VS cookies?
  29. Can I change the FormsAuthentication cookie name?
  30. How is HttpOnly get set for ASP.NET_SessionId cookie?

Leave a Comment