Keeping User Information in Session in MVC is not Secure

Question

I had a Posting on a blog about Sessions AND Cookies. Here are details

Sessions

1. Sessions are More Secure
2. Sessions are on the server

Cookies

1. Cookies are On client side
2. Less Secure
3. Once it is disable on browser the difficult to use.

On the basis of above argument i used sessions in Login system to keep UserId,UserName & roleName

Now on the the basis of roleName i will decide either this is Admin to enter to administrator section or not.

I have used this Code in Model in MVC

    public bool LoginMe()
        {
         Int64 Error;
                //create db
                Database db = DatabaseFactory.CreateDatabase("DBContext");

                DbCommand dbCommand = db.GetStoredProcCommand("ValidateUser");

                db.AddInParameter(dbCommand, "@Username", DbType.String, this.UserName);
                db.AddInParameter(dbCommand, "@Password", DbType.String, EncryptPassword(this.Password));
                db.AddOutParameter(dbCommand, "@Error", DbType.Int64, 10);
                DataSet dsResult = db.ExecuteDataSet(dbCommand);
                Error = Convert.ToInt64(db.GetParameterValue(dbCommand, "@Error"));
               if (Error == 1100)
{
    try
    {
        var query = (from o in dsResult.Tables[0].AsEnumerable()
                        select new AllUser
                        {
                            UserId = o.Field<int>("UserId"),
                            UserName = o.Field<string>("UserName"),
                            roleName = o.Field<string>("roleName"),
                        }).Single(); // this will raise an exception if there isn't just one record returned

        Session["UserId"] = query.UserId;
        Session["UserName"] = query.UserName;
        Session["roleName"] = query.roleName;

        return true;
    }
    catch {
    // do nothing and let method return false as something has gone wrong.
    // add logging here if you are using it to show there has been a problem
    }
    }
    return false;
    }

I used it in View like @Session["UserId"]

Now an expert comment on this like

If you aren't using https and securing the session cookie then this might make it easy to hack your site, although that's the same for any session based site (nearly all of them)
 It might be nice to add some check so that if you remove a user's rights, the session variables are deleted the next time that user requests something from the server, 
 otherwise they could carry on using the site even though their account it banned.You'd        have to decide if this is likely and then how you want to do this (using an authorization filter maybe.)

Above comments confused me.Can any body make it clear?What is the best way to keep these information?

Answer 1

Session state uses client tickets to identify the server-side session, it may be susceptible to session ID spoofing and injection attacks.

So, to hack session values one would require hacking the remote-server.

And yes, for highly secure application(such as online banking) use https.

http://msdn.microsoft.com/en-us/magazine/cc163730.aspx#S9

Secure sockets layer (SSL) should be used to prevent network-level sniffing of session IDs, authentication tickets, application cookies, and other request/response information.

Can session value be hacked?

Answer 2

Use HTTPS if you application handles sensitive information(credit-card number,account num,passwords). Store the User object (model with userId,username,role) in the session than separate attributes Set setHttpOnly attribute for SESSION_ID.

It might be costly to refresh the User object stored in session before invoking every operation to reflect the current rights stored in database.