how safe is it to use session variables - asp.net / c#

Question

So basically i\'m wondering how safe is my way of using Session variables.

I have a login form where user types his username/password, it gets parametrized then quer

Answer 1

When it comes to sessions you can very well rest assured that the data is not directly accessible. If for some reason your application ever returns data directly from the session that could potentially be exploited but there's seldom any reason to do this so the risk is fairly minimal.

The riskiest part about sessions comes in the form of session hijacking. See, even though all your data is stored safely on the server we still have that whole "HTTP is stateless" issue to deal with. So some kind of identifier has to be stored on the client so that the server can look up the proper session data. But if somehow another system gets ahold of that ID then they can pretend to be you for as long as the server keeps the session active.

Aside from continuously addressing any cross site scripting potential in your website there isn't really much you can do about this without a secure connection. Even then it can be improperly implemented.