Is ASP.net httpcontext cache object secure enough to store (relatively) sensitive information in it?

Question

I've figured out that ASP.net httpcontext cache object can help in increasing web application performance by reducing the number of times referring to database in specific scenarios. I've decided to put my user object which is made upon a successful login to httpcontext cache object and preserve it there for reducing the number of subsequent refers to DB in processing each page/request. I do not keep password or salt value in that object but I keep things like account expiration date in user object. I checked the below link

Security of cached data in .NET

to see whether the solutions are applicable to my scenario or not but I was not able to deduce that talks there can be applied to this scenario (keeping these kind of relatively sensitive information in cache object).

Can you please tell whether this utilization of cache object is secure enough for holding things like account expiration date or account activeness flag or not? If not, what are your suggestions for having user object at hand without subsequent DB calls.

P.S: I do not want to keep that object in session object because of the problems happening in each application pool recycling.

Answer 1

As the linked post suggests, it's only as secure as your application, server infrastructure and the way you've written your code. The Cache holds information application-wide which means that there's a higher risk of exposing user-specific information between users if there's a security vulnerability in the way you've written your code.

Just by-the-by - if you're having problems with Session because of app pool recycling, using the Cache won't help that. The Cache gets cleared when the app pool recycles in the same way as Session (if session is configured to be InProc). In fact, if you've configured Session to be InProc, then the values are actually stored in the Cache anyway!