MVC - Store secure information

Question

I just come a cross with this question during my MVC studies. Is it possible that b is the correct answer?

You are designing a distributed application. The application must store secure information that is specific to an individual user. The data must be automatically purged when the user logs off. You need to save transient information in a secure data store. Which data store should you use?

A. Session state

B. Database storage

C. Profile properties

D. Application state

Thanks,

Answer 1

If "The data must be automatically purged when the user logs off", then there is literally no need for B or C. D (application state) is single across users, so your best bet is A.

From MSDN

...application state is a useful place to store small amounts of often-used data that does not change from one user to another. For information on saving data on a per-user basis see ASP.NET Session State Overview and ASP.NET Profile Properties Overview. [Ref]

This indicates A and C are possibilities, however -

[Profile properties] is similar to session state, except that the profile data is not lost when a user's session expires. [Ref]

which does not satisfy, "data must be automatically purged when the user logs off.", leaving A as the appropriate answer.

Answer 2

My thoughts on this question: Session in asp.net can be configured to store info in db, and by default it stores info in-proc, that's not suitable for distributed application. So, session option alone does not fit. But db option can be used with session: this will satisfy condition of purging info after user logoff from one side, and store info in secure store (db) from the other.

Upd. If i could choose multiple options (each as a part of solution) i would choose session + state server or database. But since i can choose only one answer, i would prefer session.