Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
563 views
in Technique[技术] by (71.8m points)

c# - Is storing login and password hash in session secure?

What is the best way to store username and SHA1 login for an intranet application?

Is session relatively secure way to hold information like multidomain info, username and password hash? I keep them as Session["data"] = customObject()

Do I need to do any additional step to make those data secure? Is there a potential security problem or hole which can be compromised? Some kind of session injection? Should I use some privatekey process to lock/open session data for reading?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Storing a password hash is secure whichever way you go. The idea of hashing the password is so that it can't be reverse engineered into the password. That is why hashed passwords are recommended practice and commonly stored in databases (ie ASP.net membership provider). Youc an use encryption, but IMHO that is less secure than hashing.

Storing a hash password in session state, either inProc, sqlserver or session server is fine. Storing the raw password should be a hanging offence.

You would avoid exposing the hashed password to the world either via form or url information as SHA1 has been determined to be insecure. I would recommend SHA256 but in any case don't publish the hash.

I would be wondering why you want to keep this information at all. I can't think of any value it has. Once the password has been hashed, it can't be used to re-authenticate the user onto a different site.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...