|
-
Dec 17th, 2010, 09:33 AM
#1
Storing sensitive information in a Session variable
Hi,
I am creating a website that allows users to login to their gameserver remotely and send / receive commands. The connection happens via an UDP socket and requires simply the IP of the gameserver, and a password.
On my website, users can add servers to their accounts, where the server IP and password are stored in a database. Then they can connect to any of their servers, which creates a new Socket object and connects to it using the IP and password of that server.
This Socket object, embedded in an object that also stores the server IP and password, is stored in a Session variable when the user connects, and is retrieved on every page. For example, there's a page where the user can view a list of the players on the server (and kick/ban them), a page with server settings, a page with messages, etc. All these pages require the Socket connection to get their information (they send a certain command and parse the response).
When I need to send a command via the socket, I need to send the password of the server each time (otherwise it does not work).
My question now is: how secure is this? The password of a server is sensitive information*, but I am storing it in a session variable and sending it (using the Send command of the Socket object) to the server.
Could the password possibly be intercepted by someone? I think the Session variable is stored on memory on the server, so I don't think so, but I'm really unsure about these kind of things and I'd like to be certain that my website is secure. Well, I think it will never be 100% secure but I want it to be at least not worth the effort for someone to hack the password. If it takes a lot of trouble then people wouldn't bother, but I don't want to find out that people's passwords are being thrown out on the street (so to speak) and that my website is completely insecure... 
Thanks for any info!
* It is not extremely bad if someone would get a hold of it, one can simply reinstall their server to reset the password and no harm done, but I would still like to avoid 'hackers' getting the passwords.
-
Dec 17th, 2010, 04:38 PM
#2
Re: Storing sensitive information in a Session variable
 Originally Posted by NickThissen
...and is retrieved on every page. For example, there's a page where the user can view a list of the players on the server (and kick/ban them), a page with server settings, a page with messages, etc. All these pages require the Socket connection to get their information (they send a certain command and parse the response).
How are you transmitting the pw to the client from the server? Are you imbedding it in a control that is sent to the page?
Show the code-behind with how you send the PW off from the server.
While the PW is in a SESSION VBL on the server it isn't accessible to the outside world - I'm not feeling to concerned about that...
-
Dec 17th, 2010, 04:47 PM
#3
Re: Storing sensitive information in a Session variable
The password is only sent back to the client when he clicks the Edit button to edit a server. In that case, the textbox that the user should use to input the password is populated with the password, which comes from the database.
Here's the code for that:
csharp Code:
public partial class EditServer : System.Web.UI.Page { private bool isUpdating = false; private User user; private Server currentServer; protected void Page_Load(object sender, EventArgs e) { // Make sure a user is logged in user = UserManager.GetLoggedOnUser(); if (user == null) FormsAuthentication.RedirectToLoginPage(); // Get the server ID from the query string var serverId = this.GetServerId(); using (var serverManager = new ServerManager()) { if (serverId > 0) { // If the ID > 0, it is an existing server, so load it's details from the database currentServer = serverManager.LoadById(serverId); if (!(currentServer != null && user.Id == currentServer.UserId)) { // If no such server exists in the database, // OR if the user does not own this server, then go back to the Servers page Response.Redirect("~/Servers.aspx"); } isUpdating = true; } else { // Else it is a new server isUpdating = false; } } lblTitle.Text = isUpdating ? "Edit server details" : "Add new server"; if (!this.IsPostBack) { this.SetFieldValues(); } } private void SetFieldValues() { if (isUpdating) { txtIp.Text = currentServer.Ip; txtPort.Text = currentServer.Port.ToString(); txtRconPassword.Text = currentServer.RconPassword; } else { txtIp.Text = String.Empty; txtPort.Text = "3074"; txtRconPassword.Text = String.Empty; } btnOK.Visible = false; btnTest.Visible = true; } }
-
Dec 17th, 2010, 04:52 PM
#4
Re: Storing sensitive information in a Session variable
Those are going right into the page - so if you VIEW source you see them in the HTML page itself.
Are you using HTTPS?
-
Dec 17th, 2010, 04:54 PM
#5
Re: Storing sensitive information in a Session variable
-
Dec 17th, 2010, 05:05 PM
#6
Re: Storing sensitive information in a Session variable
 Originally Posted by szlamany
Those are going right into the page - so if you VIEW source you see them in the HTML page itself.
Are you using HTTPS?
Yeah... Well, the password textbox has its TextMode property set to Password so it's not visible on the outside (but probably still in the source html, I haven't checked).
No I'm not using HTTPS, at least I don't think so (so probably not )
So basically I just shouldn't populate the password textbox and let the user enter it again when he edits a server?
 Originally Posted by MattP
Thanks I'll read that soon.
-
Dec 18th, 2010, 01:12 PM
#7
Re: Storing sensitive information in a Session variable
 Originally Posted by NickThissen
So basically I just shouldn't populate the password textbox and let the user enter it again when he edits a server?
Agreed, you definitely shouldn't.
Gary
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|