Is forms authentication more secure than storing user ID in ASP.NET_session (session capture)

Question

Is forms authentication more secure than storing user ID in ASP.NET_session (session capture)

From what I understand about how session capture works, I don't see any advantage that Forms authentication has for storing user authentication information in an ASP.NET session. Both ASP.NET authentication and session forms use cookies that are hashed to verify integrity, but both cannot protect against a hacker stealing a cookie and disguising itself as a user. So, is there any security reason for using forms authentication to store authentication information in an ASP.NET session?

+1

security asp.net session-hijacking

enamrik Dec 05 '11 at 10:29

source share

2 answers

, , , , cookie Forms Auth ( ..), cookie . , , - , , 30 . ,

0

enamrik 04 . '12 15:52

John Wu · Accepted Answer · 2013-10-04T23:57:47+0000

A couple of differences:

If you save authentication data in session state and overwrite the application pool, all your users will log out instantly. In contrast, forms authentication contains the necessary information in an encrypted format in forms authentication cookies and survives the reuse of the application pool.

Session IDs are a 120-bit random number. The only defense is chance. There is no protection against unauthorized access, and in fact, a hacker can continuously try your website with random session identifiers until it finds one that works. An intrusion detection mechanism for this kind of action does not exist, because it is not possible to distinguish a changed session identifier from an expired one.

(cookie) . , 128- . - , . , . , .

, , BOTH ASP.NET_SessionId. ( ESB), .

Is forms authentication more secure than storing user ID in ASP.NET_session (session capture)

More articles: