I'm saving some of basic user informations in Session on my Asp.net MVC application. How safe is to save UserGroup in there and access it to see if user is Administrator or normal User?
I am, before running any action, asking if a user is administrator or not, directly from database, but still, I would like to know if the way above is safe.
Also, I am using FormsAuthentication, if that changes anything.
Using session for storing userInfo is not a risky affair, as this information will not be passed onto clientside ever. UserAccessRights would be something you would be checking at every action so it is good to keep that in session instead of retrieving it from DB everytime. only problem is that when your userrights is updated you need to update session as well to reflect it.