Results 1 to 7 of 7

Thread: Storing sensitive information in a Session variable

  1. #1

    Thread Starter
    PowerPoster
    Join Date
    Apr 2007
    Location
    The Netherlands
    Posts
    5,070

    Storing sensitive information in a Session variable

    Hi,

    I am creating a website that allows users to login to their gameserver remotely and send / receive commands. The connection happens via an UDP socket and requires simply the IP of the gameserver, and a password.

    On my website, users can add servers to their accounts, where the server IP and password are stored in a database. Then they can connect to any of their servers, which creates a new Socket object and connects to it using the IP and password of that server.

    This Socket object, embedded in an object that also stores the server IP and password, is stored in a Session variable when the user connects, and is retrieved on every page. For example, there's a page where the user can view a list of the players on the server (and kick/ban them), a page with server settings, a page with messages, etc. All these pages require the Socket connection to get their information (they send a certain command and parse the response).

    When I need to send a command via the socket, I need to send the password of the server each time (otherwise it does not work).


    My question now is: how secure is this? The password of a server is sensitive information*, but I am storing it in a session variable and sending it (using the Send command of the Socket object) to the server.

    Could the password possibly be intercepted by someone? I think the Session variable is stored on memory on the server, so I don't think so, but I'm really unsure about these kind of things and I'd like to be certain that my website is secure. Well, I think it will never be 100% secure but I want it to be at least not worth the effort for someone to hack the password. If it takes a lot of trouble then people wouldn't bother, but I don't want to find out that people's passwords are being thrown out on the street (so to speak) and that my website is completely insecure...


    Thanks for any info!

    * It is not extremely bad if someone would get a hold of it, one can simply reinstall their server to reset the password and no harm done, but I would still like to avoid 'hackers' getting the passwords.

  2. #2
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    Connecticut
    Posts
    18,263

    Re: Storing sensitive information in a Session variable

    Quote Originally Posted by NickThissen View Post
    ...and is retrieved on every page. For example, there's a page where the user can view a list of the players on the server (and kick/ban them), a page with server settings, a page with messages, etc. All these pages require the Socket connection to get their information (they send a certain command and parse the response).
    How are you transmitting the pw to the client from the server? Are you imbedding it in a control that is sent to the page?

    Show the code-behind with how you send the PW off from the server.

    While the PW is in a SESSION VBL on the server it isn't accessible to the outside world - I'm not feeling to concerned about that...

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  3. #3

    Thread Starter
    PowerPoster
    Join Date
    Apr 2007
    Location
    The Netherlands
    Posts
    5,070

    Re: Storing sensitive information in a Session variable

    The password is only sent back to the client when he clicks the Edit button to edit a server. In that case, the textbox that the user should use to input the password is populated with the password, which comes from the database.

    Here's the code for that:
    csharp Code:
    1. public partial class EditServer : System.Web.UI.Page
    2.     {
    3.         private bool isUpdating = false;
    4.         private User user;
    5.         private Server currentServer;
    6.  
    7.         protected void Page_Load(object sender, EventArgs e)
    8.         {
    9.             // Make sure a user is logged in
    10.             user = UserManager.GetLoggedOnUser();
    11.             if (user == null) FormsAuthentication.RedirectToLoginPage();
    12.  
    13.             // Get the server ID from the query string
    14.             var serverId = this.GetServerId();
    15.  
    16.             using (var serverManager = new ServerManager())
    17.             {
    18.                 if (serverId > 0)
    19.                 {
    20.                     // If the ID > 0, it is an existing server, so load it's details from the database
    21.                     currentServer = serverManager.LoadById(serverId);
    22.                    
    23.                     if (!(currentServer != null && user.Id == currentServer.UserId))
    24.                     {
    25.                         // If no such server exists in the database,
    26.                         // OR if the user does not own this server, then go back to the Servers page
    27.                         Response.Redirect("~/Servers.aspx");
    28.                     }
    29.                     isUpdating = true;
    30.                 }
    31.                 else
    32.                 {
    33.                     // Else it is a new server
    34.                     isUpdating = false;
    35.                 }
    36.             }
    37.  
    38.             lblTitle.Text = isUpdating ? "Edit server details" : "Add new server";
    39.  
    40.             if (!this.IsPostBack)
    41.             {
    42.                 this.SetFieldValues();
    43.             }
    44.         }
    45.        
    46.         private void SetFieldValues()
    47.         {
    48.             if (isUpdating)
    49.             {
    50.                 txtIp.Text = currentServer.Ip;
    51.                 txtPort.Text = currentServer.Port.ToString();
    52.                 txtRconPassword.Text = currentServer.RconPassword;
    53.             }
    54.             else
    55.             {
    56.                 txtIp.Text = String.Empty;
    57.                 txtPort.Text = "3074";
    58.                 txtRconPassword.Text = String.Empty;
    59.             }
    60.  
    61.             btnOK.Visible = false;
    62.             btnTest.Visible = true;
    63.         }
    64.     }

  4. #4
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    Connecticut
    Posts
    18,263

    Re: Storing sensitive information in a Session variable

    Those are going right into the page - so if you VIEW source you see them in the HTML page itself.

    Are you using HTTPS?

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  5. #5
    Frenzied Member MattP's Avatar
    Join Date
    Dec 2008
    Location
    WY
    Posts
    1,227

    Re: Storing sensitive information in a Session variable


  6. #6

    Thread Starter
    PowerPoster
    Join Date
    Apr 2007
    Location
    The Netherlands
    Posts
    5,070

    Re: Storing sensitive information in a Session variable

    Quote Originally Posted by szlamany View Post
    Those are going right into the page - so if you VIEW source you see them in the HTML page itself.

    Are you using HTTPS?
    Yeah... Well, the password textbox has its TextMode property set to Password so it's not visible on the outside (but probably still in the source html, I haven't checked).

    No I'm not using HTTPS, at least I don't think so (so probably not )

    So basically I just shouldn't populate the password textbox and let the user enter it again when he edits a server?

    Quote Originally Posted by MattP View Post
    Thanks I'll read that soon.

  7. #7
    PowerPoster gep13's Avatar
    Join Date
    Nov 2004
    Location
    The Granite City
    Posts
    21,963

    Re: Storing sensitive information in a Session variable

    Quote Originally Posted by NickThissen View Post
    So basically I just shouldn't populate the password textbox and let the user enter it again when he edits a server?
    Agreed, you definitely shouldn't.

    Gary

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width