Menu
When using Sql Server to store and manage the SessionState, is the session data stored in the database using encryption?
When I look at the data in the ASPNet database, the data in the "SessionItemLong" in the ASPStateTempSessions columns appears to be hexadecimal data. Is this data being encrypted before being stored in the database? And if so, where is the key that is being used to encrypt the data and what algorithm is being used to encrypt the data?
Also, the Session state stores the object using serialization. Which serialization is used? (binary or XML)
699
Create a table and insert a couple of rows: Then back up the database without using compression, and open up the backup file with a hex editor: The same trick works on the data file, too.
SQL Database and SQL Managed Instance, on the other hand, need all connections to be encrypted (SSL/TLS) at all times. Furthermore, regardless of whether Encrypt or TrustServerCertificate is set in the connection string, all data is encrypted “in transit” between the client and server.
For all new SQL Server instances our cyber security team has a policy that all data traffic to and from the server should be encrypted, with encryption forced so that all connections use TLS/SSL (TLS is a more recent and more secure version of SSL).
Also, Session data is not "secure". True, it exists on the server side, but if anyone gained access to the server they would have access to the public session data. If you were to store credit card info in session you had better encrypt it with an asymetric key at a minimum.
There are no encryption there. The data is stored using binary serialization (it's much more faster than xml one). For details look at the SessionStateUtility class (you can browse it using free Reflector). This is the code which is used for serialization:
internal static void Serialize(SessionStateStoreData item, Stream stream)
{
bool flag = true;
bool flag2 = true;
BinaryWriter writer = new BinaryWriter(stream);
writer.Write(item.Timeout);
if ((item.Items == null) || (item.Items.Count == 0))
{
flag = false;
}
writer.Write(flag);
if ((item.StaticObjects == null) || item.StaticObjects.NeverAccessed)
{
flag2 = false;
}
writer.Write(flag2);
if (flag)
{
((SessionStateItemCollection) item.Items).Serialize(writer);
}
if (flag2)
{
item.StaticObjects.Serialize(writer);
}
writer.Write((byte) 0xff);
}
I had this problem recently, and had to deconstruct stored state to investigate a performance issue; the rough code was something like:
byte[] blob = ... // TODO
using (var ms = new MemoryStream(blob))
using (BinaryReader reader = new BinaryReader(ms)) {
int len = reader.ReadInt32();
bool f1 = reader.ReadBoolean(), f2 = reader.ReadBoolean();
SessionStateItemCollection items = null;
HttpStaticObjectsCollection sitems = null;
if (f1) {
items = SessionStateItemCollection.Deserialize(reader);
}
if (f2) {
sitems = HttpStaticObjectsCollection.Deserialize(reader);
}
if (reader.ReadByte() != 0xFF) {
throw new InvalidOperationException("corrupt");
}
if (items != null) {
int max = items.Count;
for (int i = 0; i < max; i++) {
object obj = items[i];
Console.WriteLine("{0}\t{1}", items.Keys[i],
obj == null ? "n/a" : obj.GetType().FullName);
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
