Applications that rely on per user session state can store session state in the following locations:
In the ASP.NET worker process
In an out-of-process state service, which can run on the Web server, or on a remote server
In a SQL Server data store
The relevant location, combined with connection details, is stored in the <sessionState> element in Machine.config. This is the default setting:
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" stateNetworkTimeout="10" sqlConnectionString="data source=127.0.0.1;Integrated Security=SSPI" cookieless="false" timeout="20"/>
Note | If you do not use the ASP.NET state service on the Web server, use the MMC Services snap-in to disable it. |
If you use a SQL Server session state store, use the following recommendations to help secure the session state:
Use Windows authentication to the database
Encrypt sqlConnectionString
Limit the application's login in the database
Secure the channel
For more information about setting up the SQL Server session state store database, see Microsoft Knowledge Base article 311209, "How To: Configure ASP.NET for Persistent SQL Server Session State Management."
If you use mode="SQLServer" , use Windows authentication to connect to the state database and use a least privileged account, such as a duplicate local ASPNET account. This means that you can use a trusted connection, you do not have credentials in the connection string, and credentials are not passed over the wire to the database.
Encrypt the sqlConnectionString attribute value using the Aspnet_setreg.exe tool. This is particularly important if you use SQL authentication to connect to the state database because of the credentials in the connection string, but it is also recommended if you use Windows authentication.
Task To encrypt the sqlConnectionString
Run the following command from the command prompt.
aspnet_setreg -k:Software\YourApp\sessionState -c:{your connection string}
This stores the encrypted connection string in the specified registry key and secures the registry key with a restricted ACL that grants Full Control to System, Administrators, and Creator Owner.
Reconfigure the <sessionState> element and add the following sqlConnectionString attribute.
<sessionState mode="SQLServer" sqlConnectionString="registry:HKLM\SOFTWARE\YourApp\sessionState\ASPNET_SETREG, sqlConnectionString" />
Use Regedt32.exe to create an ACL on the above registry key that grants read access to the ASP.NET process account.
The application's login in the database should be restricted so that it can only be used to access the necessary state tables and the stored procedures used by ASP.NET to query the database.
Task To limit the application's login in the state database
Create a duplicate local account on the state database server with the same name and strong password of the account that runs your ASP.NET application.
For more information about using the ASPNET account to access a remote database, see "Data Access" later in this chapter.
Create a local Windows group, for example ASPNETWebApps, on the database server and add the local ASPNET account to the group .
Grant the Windows group access to SQL Server by creating a new login.
sp_grantlogin 'MACHINE\ASPNETWebApps'
Note | Replace MACHINE with your database server name. |
Grant the SQL login access to the ASPState database. The following T-SQL creates a database user called WebAppUser, with which the login is associated.
USE ASPState GO sp_grantdbaccess 'MACHINE\ASPNETWebApps', 'WebAppUser'
Create a user-defined database role.
USE ASPState GO sp_addrole 'WebAppUserRole'
Add the database user to the new database role.
USE ASPState GO sp_addrolemember 'WebAppUserRole', 'WebAppUser'
Configure permissions in the database for the database role. Grant execute permissions for the stored procedures that are provided with the ASPState database.
grant execute on CreateTempTables to WebAppUserRole
Repeat this command for all of the stored procedures that are provided with the ASPState database. Use SQL Server Enterprise Manager to see the full list.
To protect sensitive session state over the network between the Web server and remote state store, secure the channel to the two servers using IPSec or SSL. This provides privacy and integrity for the session state data across the network. If you use SSL, you must install a server certificate on the database server. For more information about using SSL with SQL Server, see Chapter 18, "Securing Your Database Server."
If you use mode=StateServer , use the following recommendations to help secure session state:
Use a least privileged account to run the state service
Secure the channel
Consider changing the default port
Encrypt the state connection string
The state service runs by default using the ASPNET local, least privileged account. You should not need to change this configuration.
If the state service is located on a remote server, secure the channel to the remote state store using IPSec to ensure the user state remains private and unaltered.
The ASP.NET state service listens on port 42424. To avoid using this default, well known port, you can change the port by editing the following registry key:
HKLM\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters
The port number is defined by the Port named value. If you change the port number in the registry, for example, to 45678, you must also change the connection string on the <sessionState> element, as follows :
stateConnectionString="tcpip=127.0.0.1:45678"
Encrypt the stateConnectionString attribute value to hide the IP address and port number of your state store. Use the Aspnet_setreg.exe tool.
Task To encrypt the stateConnectionString
Run the following command from the command prompt.
aspnet_setreg -k:Software\YourApp\sessionState -d:{your connection string}
This stores the encrypted connection string in the specified registry key and secures the registry key with a restricted ACL that grants Full Control to System, Administrators, and Creator Owner.
Reconfigure the <sessionState> element and add the following stateConnectionString attribute:
<sessionState mode="StateServer" sqlConnectionString="registry:HKLM\SOFTWARE\YourApp\sessionState\ASPNET_SETREG,sqlConnectionString" ... />
Use Regedt32.exe to create an ACL on the above registry key that grants read access to the ASP.NET process account.