Best way to hide values for sessionState provider

Question

I am using a Redis cache Session State Provider in my MVC application. Of course, all the settings for the provider are in my Web.config. The app works if I simply put the Host and Key and all that in as simple strings, so it looks like this:

  <sessionState mode="Custom" customProvider="MySessionStateStore">
      <providers>
          <add 
            type="Microsoft.Web.Redis.RedisSessionStateProvider"
            name="MySessionStateStore" 
            host = "[HOST]"
            port = "6379"
            accessKey = "[KEY]"
            ssl = "false"
            throwOnError = "true"
            retryTimeoutInMilliseconds = "5000"
            databaseId = "0"
            applicationName = "TRAXProSurvey"
            connectionTimeoutInMilliseconds = "5000"
            operationTimeoutInMilliseconds = "1000"
          />
      </providers>
    </sessionState>

...where "[HOST]" and "[KEY]" are instead the actual values. But that is not exactly safe, right? Is there a way to hide that information somehow?

I know of the use of App Settings in Azure configuration - in fact I'm using a couple for something else. But I'm not finding a way to be able to use those here specifically. I can create the app setting variable, but what is the way to access that value within the sessionState?? I tried using System.Configuration.ConfigurationManager.AppSettings("[name]") - just that, that with quotes, and that with single quotes.

I figured maybe I just encrypt the Web.config....I found that you can add "<'MSDeployEnableWebConfigEncryptRule'>true<'/MSDeployEnableWebConfigEncryptRule'>" (with no single quotes) in the .pubxml - but that does not work for regular Azure websites.

I also found articles/examples for encrypting sections of Web.config using aspnet_regiis....but doing that would not work in a web farm environment like Azure, right?

So what other options (if any) are there? ...or is this just not possible? Thank you!

Answer 1

You can use App Settings for providing Redis session state configuration like below.

As example we want to set host and accessKey in app settings.

<appSettings>
  <add key="SomeHostKey" value="actual host value" />
  <add key="SomeAccessKey" value="actual access key" />
</appSettings>

you can choose any string as 'key' inside app settings. you can set app setting from azure portal.

Now , use this key as value in web.config like below:

<sessionState mode="Custom" customProvider="MySessionStateStore">
      <providers>
          <add 
            type="Microsoft.Web.Redis.RedisSessionStateProvider"
            name="MySessionStateStore" 
            host = "SomeHostKey"
            port = "6379"
            accessKey = "SomeAccessKey"
            ssl = "false"
            throwOnError = "true"
            retryTimeoutInMilliseconds = "5000"
            databaseId = "0"
            applicationName = "TRAXProSurvey"
            connectionTimeoutInMilliseconds = "5000"
            operationTimeoutInMilliseconds = "1000"
          />
      </providers>
    </sessionState>

You can provide all parameters by app settings if you want to. you can provide few parameters by app settings and remaining by web.config as you wish. Session state provider will find if you are providing actual value or app setting key in web.config.