asp.netformsauthentication

The advantage of FormsAuthentication class over session variable


My web site is using a session variable to store the login status, like Session["User"],

and checks this session variable in each page, like:

If (Session["User"] == null ) Response.Redirect("loginPage.aspx");

Is the FormAuthentication more secure?

Thanks.


Solution

  • The first thing is that it is more secure then the normal session. There is possibility of session hijacking. You can see following links for more details.

    http://msdn.microsoft.com/en-us/library/ms972969.aspx

    http://peterwong.net/blog/?p=136

    Also sessions can be available even if you are not login. The only thing you need is session Id generated for user.

    Following are other advantages.

    1) Form authentication can support role based authorization so if you don't want user to access some folder that is specific for only administrator then you can do that every easily with form authentication while with session you need to manually.

    2) You can create your login-logout functionality with inbuilt controls of asp.net with membership and forms authentication.

    3) Its generates an authentication token so you don't have to check manually every time like in session.

    Maintaining critical information in session is not a good idea. Hope this will help you. I high recommend to use form authentication or any latest technologies like ASP.NET Identity for authentication.