Saving Username into session property to help secure site

[blr228]

For starters, this is a practice project and will not be used by the general public. I need to secure some pages in my website using session properties for username. This occurs (the username saved into session) when a correct username and password combo is entered. My boss reviewed my implementation and said that "storing the username value into the HttpSessionState directly is wrong, you should set the username property of the session, and store the session object into the HttpSessionState". Now I think I understand what parts of my code he is referring to, but changing this breaks the security (anyone can use a direct link to a page once a single user has logged in).Make sure to read the comments in code, I added them to describe the lines in question.What worked in terms of security, but username is stored directly into HttpSessionState:\[code\]//login.ascx.csprivate void Login_Click(object sender, EventArgs e){ if (sender == null || e == null) { throw new ArgumentNullException("Null Exception: Login_Click"); } User user = new User(); user.Login(_username.Text, _password.Text); if (user.IsValid() && user.GetIsUser() != false) { user.Save(); //the line below is what I used to make the secure pages work properly. //but based on what my boss says, I think this is what should be changed. Session["Username"] = _username.Text; //What i tried instead was to set 'MySession.Current.Username = _username.Text;' //which allowed successful login, but the pages became insecure once again. Response.Redirect("Secure/Default.aspx"); } else { DisplayErrors(user._validationErrors); } _errors.Text = errorMessage; } \[/code\]and MySession.cs\[code\]public string Username{ get { if (HttpContext.Current.Session["Username"] == null) { return string.Empty; } else { return HttpContext.Current.Session["Username"].ToString(); } } set { //when the line below is uncommented, the secure pages are vulnerable //but if I comment it out, they work properly. //HttpContext.Current.Session["Username"] = value; }}\[/code\]So how can I \[code\]Set the username property of the session, and store the session object into the HttpSessionState\[/code\] while still maintaining a secure site?