Asp.net MVC Is it safe to keep sensitive info in Session? -

Asp.net MVC Is it safe to keep sensitive info in Session? -

i have basic authentication scheme on asp.net mvc website

[httppost] public actionresult login(loginviewmodel model, string returnurl) { websecurity.login(model.username, model.password, persistcookie: false) homecoming redirecttoaction("index", "home"); }

i have userinfoviewmodel class maintain user specific information, , utilize on different pages.

to avoid creating userinfoviewmodel every time need it, want save in session on login method.

public actionresult login(loginviewmodel model, string returnurl) { websecurity.login(model.username, model.password, persistcookie: false) var userinfoviewmodel = new userinfoviewmodel(); session["userinfo"] = userinfoviewmodel; homecoming redirecttolocal(returnurl); }

considering have sensitive info rely on within userinfoviewmodel, issuperuser, safe maintain object in session? expire when user login session expires well?

solution

system.security.principal.iidentity exacly made that. saves within auth cookie custom user info need, don't recalculate every time.

use custom principal objects video turorial

thank answers!

yes, safe because session stored on server. have problem should thinking if decide utilize asp.net sessions. if session stored in memory of web server (default), iis recycle application @ time , loose session data. on other hand user still authenticated because tracked forms authentication cookie still sent. if want utilize sessions recommend switching out-of-proc session provider (such stateserver or sqlserver).

also @mikeb pointing out in comments section there's serious issue session. if enabled read , write mode given controller not able process multiple requests same session in parallel. server block , process them sequentially. think illustration multiple ajax requests same session. block , process sequentially.

asp.net asp.net-mvc session