I wrote an entire website where the security involved a user signing in, and then a session variable would be set, something like
session("userisOK") = true
and then every page would test for this.
Now I look at all the documentation on the membership classes, and I see they use a very different method. They use a cookie. And the cookie has information that is encrypted, and also tamper-protected.
Now I don't want to show my ignorance, but sessions are implemented with cookies too. What are the security holes in my method?
Obviously, if somebody got hold of the session cookie, he could log in. But thats also true if got hold of someone elses membership cookie.
Any enlightenment is appreciated.
-- Gid