Return to
HomePage
Question: How should I secure session information?
Answer:
* Store session state on the server
* If you're using a SQL Server state store, secure the connection string (see below) and use Windows authentication to connect to the database. Also use a least privileged database account.
* If you're using the out of process state service, consider changing the default port. The ASP.NET state service listens on port
42424. To avoid using this default, well known port, you can change the port by editing the following registry key:
HKLM\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters
* The port number is defined by the
Port named value. If you change the port number in the registry, for example, to
45678, you must also change the connection string on the
<sessionState> element, as follows:
stateConnectionString="tcpip=127.0.0.1:45678"
* Limit session lifetime
* Secure the channel from your Web application to the session store
* Secure the session store connection string
* Use the
aspnet_setreg tool to secure the connection string on the
<sessionState> element.
<sessionState mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
stateNetworkTimeout="10" sqlConnectionString="data
source=127.0.0.1;Integrated Security=SSPI"
cookieless="false" timeout="20"/>
* For more information about
Aspnet_setreg.exe, see Microsoft Knowledge Base article 329290, "How to use the ASP.NET utility to encrypt credentials and session state connection strings" at http://support.microsoft.com/default.aspx?scid=kb;en-us;329290.
Return to
HomePage
WindowsClient: Several WPF Localization questions
Silverlight: Commitments
Mix Online: When Projects Fall Apart
Channel 10: Adding Flip 3D to Windows 7's Taskbar
