How do I secure Session State information?
From Guidance Share
J.D. Meier, Prashant Bansode, Alex Mackman
- Store session state on the server
- If you're using a SQL Server state store, secure the connection string (see below) and use Windows authentication to connect to the database. Also use a least privileged database account.
- If you're using the out of process state service, consider changing the default port. The ASP.NET state service listens on port 42424. To avoid using this default, well known port, you can change the port by editing the following registry key:
- The port number is defined by the Port named value. If you change the port number in the registry, for example, to 45678, you must also change the connection string on the <sessionState> element, as follows:
- Limit session lifetime
- Secure the channel from your Web application to the session store
- Secure the session store connection string
- Use the aspnet_setreg tool to secure the connection string on the <sessionState> element.
stateConnectionString="tcpip=127.0.0.1:42424" stateNetworkTimeout="10" sqlConnectionString="data source=127.0.0.1;Integrated Security=SSPI" cookieless="false" timeout="20"/>
- For more information about Aspnet_setreg.exe, see Microsoft Knowledge Base article 329290, "How to use the ASP.NET utility to encrypt credentials and session state connection strings" at http://support.microsoft.com/default.aspx?scid=kb;en-us;329290.