Does sensitive ASP.NET Session data need to be encrypted?

Question

Do ASP.NET Session[string key] data need to be encrypted to be secure?

If such data always stays on the server, doesn\'t that make it safe to store credit card infor

Answer 1

With all the downvotes being thrown around here, I'll add my own two cents:

I think that anything that stays in server memory, including ASP.NET Session data, is safe in unencrypted form. An attacker would have to be able to execute code on the server in order to read the memory.

On a side note, once it's stored in a database, data should be encrypted. If it's sent to the client, it should also be encrypted, but that's outside the scope of this question. Lastly, of course, the data must be encrypted on its way from the client to the server.