In an MVC App, can Session be hacked?
How confident should a Controller Action be that the Session data is legit?
Something tells me, zero percent confident.
Is the data stored in Session under the same restriction as query string params? That it must be encrypted? Or does the .NET Framework take care of that?