relating to another question I asked:How define "Global" variables
How secure/unsecure is to store security related information in session variables?
I'm not talking about username/password or similar, but, for example, about the "roles" a user belongs, or if he has specific permissions.
I would like to use the session variable approach to set the "security configuration" of the user at logon and reduce access to database for checking permission every time, but obvusly I won't do it if it causes a threat.
Different controls (check if user is autenticated for example) will be handled separatedly.
Is it possible for a user to arbitrarily alter the session variable values?
Additionally, how possible it is for a user to "steal" another session cookie and get access to "reserved" data?
Thank you in advance,
To better explain the situation of the application:
Users belong to different "companies", and each company is an " isolated" environment (users of company A cannot see users and operations of company B)
That said, the users of a specific company can belong to one or more "Company Groups", and have other specific permissions, which are defined on a per-Company basis, and I find hard to use asp.net role membership to achieve this (administrators of company a must not see other companies' groups).
Currently, users authenticates to application using standard asp.net mebership provider, and checked to have required base asp.net roles.
After that, each time the user requests data to the database, I'd have to:
- check to which company the user belong
- check to which company roles the user belong
- ...so on for other specific user permissions
- finaly pull out only the data the user is allowed to see.
The idea is that of setting all the additional security information on session variables at log on. At each request, asp.net authentication will automatically check if user is authenticated, and I'll verify that session variables with additional security info are set.
So, if UserA is capable of stealing both asp.net authcookie and session state of UserB, he obvusly can access data as if was UserB, while if he can steal only one, theorically I'll have an additional level of security (for example, if UserA steals session from UserB, but there is no maching with authcookie, I can block the user).
The other probelm I must consider is: is there a way by which UserA can alter the session state variables manually, so that he could manually add roles and permission to his current session)?
Is the possible problems still effective on a full https application.
Thank tou agin,