View Single Post
  #2 (permalink)  
Old May 6th, 2010, 09:56 AM
Imar's Avatar
Imar Imar is offline
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts

It wouldn't be my solution. Separating users by password is a bad idea. What if someone changes his password? This is where user names are for. I would try to rearchitect the solution.

To answer the question: yes, it's more or less safe to store it in Session state since no-on has access to it directly. However, it's still tricky and can lead to information disclosure, IMO. You could have a logging module that sends out errors and may include session data so it could still "leak" out of your application.

Can you please post questions that are not directly relayed to my book in a general ASP.NET category: Makes it easier for everyone to find stuff.


Imar Spaanjaars
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!