I'm building a MVC3 application that needs to store secure user information such as userid, username, phone, and email. In my research I see people using the httpcontext object as well storing user objects in session state.
Session["User"] = user;
The previous data being stored in the user object. I'm wondering what the difference is between Session[""] and HttpContext object is and if either of these methods are a secure way to store this data.
Thanks for your thoughts!
HttpContext.Current.Items is a per-request store. It is not accessible to other users.
Session is a per USER store. It has a bad air surrounding it with performance as the session is locked per that users sessionid for each request, so overlapping requests can have performance issues in waiting for the object to become available.
Both are not available to other users unless in the case of session, someone steals (sniifs on the network) the session id and hijacks that session. Even then the data isn't accessible unless you have a trace page but keep in mind then the evil user may be able to surf pages as a different user if able to steal that and forms auth token (as just one example)
