Hi, I could use some advice from the guru's here.
A long time ago, I built the first release of an ASP.NET web forms application. A requirement for the web site is that only known customers may log-in. So after they buy access, they get a temporary login, which allows them to change their password. At the time I decided not to use ASP membership because I needed full control of the database schema for users.
So instead of the ASP membership, I just check on each page whether there is an active Session. If (Session("Logon") == null) Response.Redirect ... This was based on the assumption that in memory Session state is secure.
This works satisfactory, so no need to change from that perspective. We are now in the process to completely revamp the site to allow responsive behavior and a more modern user interface. Much more of the user interaction is done in the browser, with ajax calls to the ASP.page. There I can do the same thing, check the Session, before allowing any thing that should stay confidential.
My question to the forum is, should I absolutely redo the authentication towards ASP.NET Identity for security reasons, or can I assume safely that no one can hack Session (as far as you can assume anything).
Thanks
Pieter