c# - Is storing login and password hash in session secure?

Question

What is the best way to store username and SHA1 login for an intranet application?

Is session relatively secure way to hold information like multidomain info, username and password hash? I keep them as Session["data"] = customObject()

Do I need to do any additional step to make those data secure? Is there a potential security problem or hole which can be compromised? Some kind of session injection? Should I use some privatekey process to lock/open session data for reading?

Answer 1

Storing a password hash is secure whichever way you go. The idea of hashing the password is so that it can't be reverse engineered into the password. That is why hashed passwords are recommended practice and commonly stored in databases (ie ASP.net membership provider). Youc an use encryption, but IMHO that is less secure than hashing.

Storing a hash password in session state, either inProc, sqlserver or session server is fine. Storing the raw password should be a hanging offence.

You would avoid exposing the hashed password to the world either via form or url information as SHA1 has been determined to be insecure. I would recommend SHA256 but in any case don't publish the hash.

I would be wondering why you want to keep this information at all. I can't think of any value it has. Once the password has been hashed, it can't be used to re-authenticate the user onto a different site.