How do I secure Session State information?

From Guidance Share

Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman

Answer

  • Store session state on the server
  • If you're using a SQL Server state store, secure the connection string (see below) and use Windows authentication to connect to the database. Also use a least privileged database account.
  • If you're using the out of process state service, consider changing the default port. The ASP.NET state service listens on port 42424. To avoid using this default, well known port, you can change the port by editing the following registry key:
 HKLM\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters
  • The port number is defined by the Port named value. If you change the port number in the registry, for example, to 45678, you must also change the connection string on the <sessionState> element, as follows:
stateConnectionString="tcpip=127.0.0.1:45678"
  • Limit session lifetime
  • Secure the channel from your Web application to the session store
  • Secure the session store connection string
  • Use the aspnet_setreg tool to secure the connection string on the <sessionState> element.

<sessionState mode="InProc"

             		stateConnectionString="tcpip=127.0.0.1:42424"
             		stateNetworkTimeout="10" sqlConnectionString="data
             		source=127.0.0.1;Integrated Security=SSPI"
             		cookieless="false" timeout="20"/>
Personal tools