4

I'm using ASP.NET, I use a custom authentication provider that I wrote myself, hashing and salting is in place so it should be relatively secure.

I also implemented a custom auth session mechanism which works like this.

  1. User signs in to the web app, the password is verified against the data in the mssql db.
  2. A new row is inserted to the 'sessions' table, it contains a reference to the user that is logged on, an authentication token, and an expiry date.
  3. The auth token is returned with a cookie , and is stored on the client's computer.
  4. The auth token is used to identify the user.

It works perfectly, but I'm not sure it's the right way to go, because I can see the potential security risks, for example if someone hacks into the db and changes the user id, or gets a hold of the auth token, or am I wrong?

P.S. Unfortunately I cannot use the built-in auth/session handling, because our customers requested that, plus we have to support other db engines, such as mysql, oracle/etc, so please don't suggest that :)

Improve this question
3
  • 1
    "P.S. Unfortunately I cannot use the built-in auth/session handling, so please don't suggest that" - it would help if you explain why you can't use the built-in stuff: see blogs.msdn.com/b/oldnewthing/archive/2013/02/06/10391383.aspx Commented Feb 26, 2013 at 15:17
  • Well, the ASP.net Membership/State, Profile, etc. providers are supported on mysql, Oracle, etc. Commented Feb 26, 2013 at 15:31
  • You can use Forms Authentication without even using the membership provider it's pretty straightforward. Writing a custom session provider is a little bit more work. Commented Feb 26, 2013 at 15:36

1 Answer 1

Reset to default
1

I think this is almost secure.

To aleviate your concerns of everything being compromised upon seeing the database, there are some ways around this. If you have no concerns of scaling to multiple servers, you could generate a key on application startup. And then use this key to "sign" each session. So, you could make a hash of something like auth token+server key+expiration and then you could verify this on each request from the session.

As for people being able to steal the auth token, you only have so many options here. For reference, this is called a "replay attack". They're very hard to prevent without making your website annoying (oh you want to open 3 tabs from this one page, you're going to have to sign in because it's a replay) See wikipedia for more info. It highly depends on exactly "how secure" you need to be.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I'm not sure I understand what you mean by signing each session, should I sign it on the server and what about the hash? Can you please explain?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.