Session State

 <sessionState mode="InProc"               stateConnectionString="tcpip=127.0.0.1:42424"               stateNetworkTimeout="10" sqlConnectionString="data               source=127.0.0.1;Integrated Security=SSPI"               cookieless="false" timeout="20"/> 

Use Windows Authentication to the Database

If you use mode="SQLServer" , use Windows authentication to connect to the state database and use a least privileged account, such as a duplicate local ASPNET account. This means that you can use a trusted connection, you do not have credentials in the connection string, and credentials are not passed over the wire to the database.

Encrypt the sqlConnectionString

Encrypt the sqlConnectionString attribute value using the Aspnet_setreg.exe tool. This is particularly important if you use SQL authentication to connect to the state database because of the credentials in the connection string, but it is also recommended if you use Windows authentication.

 Task   To encrypt the sqlConnectionString

1. Run the following command from the command prompt.

    aspnet_setreg -k:Software\YourApp\sessionState -c:{your connection string} 

   This stores the encrypted connection string in the specified registry key and secures the registry key with a restricted ACL that grants Full Control to System, Administrators, and Creator Owner.

2. Reconfigure the <sessionState> element and add the following sqlConnectionString attribute.

    <sessionState mode="SQLServer" sqlConnectionString="registry:HKLM\SOFTWARE\YourApp\sessionState\ASPNET_SETREG, sqlConnectionString" /> 

3. Use Regedt32.exe to create an ACL on the above registry key that grants read access to the ASP.NET process account.

Limit the Application's Login in the Database

The application's login in the database should be restricted so that it can only be used to access the necessary state tables and the stored procedures used by ASP.NET to query the database.

 Task   To limit the application's login in the state database

1. Create a duplicate local account on the state database server with the same name and strong password of the account that runs your ASP.NET application.

   For more information about using the ASPNET account to access a remote database, see "Data Access" later in this chapter.

2. Create a local Windows group, for example ASPNETWebApps, on the database server and add the local ASPNET account to the group .

3. Grant the Windows group access to SQL Server by creating a new login.

    sp_grantlogin 'MACHINE\ASPNETWebApps' 

   Note	Replace MACHINE with your database server name.

4. Grant the SQL login access to the ASPState database. The following T-SQL creates a database user called WebAppUser, with which the login is associated.

    USE ASPState GO sp_grantdbaccess 'MACHINE\ASPNETWebApps', 'WebAppUser' 

5. Create a user-defined database role.

    USE ASPState GO sp_addrole 'WebAppUserRole' 

6. Add the database user to the new database role.

    USE ASPState GO sp_addrolemember 'WebAppUserRole', 'WebAppUser' 

7. Configure permissions in the database for the database role. Grant execute permissions for the stored procedures that are provided with the ASPState database.

    grant execute on CreateTempTables to WebAppUserRole 

   Repeat this command for all of the stored procedures that are provided with the ASPState database. Use SQL Server Enterprise Manager to see the full list.

Secure the Channel

To protect sensitive session state over the network between the Web server and remote state store, secure the channel to the two servers using IPSec or SSL. This provides privacy and integrity for the session state data across the network. If you use SSL, you must install a server certificate on the database server. For more information about using SSL with SQL Server, see Chapter 18, "Securing Your Database Server."

Use a Least Privileged Account to Run the State Service

The state service runs by default using the ASPNET local, least privileged account. You should not need to change this configuration.

Secure the Channel

If the state service is located on a remote server, secure the channel to the remote state store using IPSec to ensure the user state remains private and unaltered.

Consider Changing the Default Port

The ASP.NET state service listens on port 42424. To avoid using this default, well known port, you can change the port by editing the following registry key:

 HKLM\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters 

The port number is defined by the Port named value. If you change the port number in the registry, for example, to 45678, you must also change the connection string on the <sessionState> element, as follows :

 stateConnectionString="tcpip=127.0.0.1:45678" 

Encrypt the stateConnectionString

Encrypt the stateConnectionString attribute value to hide the IP address and port number of your state store. Use the Aspnet_setreg.exe tool.

 Task   To encrypt the stateConnectionString

1. Run the following command from the command prompt.

    aspnet_setreg -k:Software\YourApp\sessionState -d:{your connection string} 

   This stores the encrypted connection string in the specified registry key and secures the registry key with a restricted ACL that grants Full Control to System, Administrators, and Creator Owner.

2. Reconfigure the <sessionState> element and add the following stateConnectionString attribute:

    <sessionState mode="StateServer" sqlConnectionString="registry:HKLM\SOFTWARE\YourApp\sessionState\ASPNET_SETREG,sqlConnectionString" ... /> 

3. Use Regedt32.exe to create an ACL on the above registry key that grants read access to the ASP.NET process account.