Does sensitive ASP.NET Session data need to be encrypted?

Question

Do ASP.NET Session[string key] data need to be encrypted to be secure?

If such data always stays on the server, doesn\'t that make it safe to store credit card infor

Answer 1

1. The question refers to the data being stored in memory on the same server, but that's just the default configuration. You can also set up a state server, write to a nosql db etc. Stateless web servers are becoming increasingly more common thanks to the rise of the cloud and platforms-as-a-service.

2. Depending on your security policy, credit cards and passwords may not be the only information that you consider "confidential". Some orgs consider customer information such as addresses to be confidential as well. This means that any multi-step session checkout would contain "confidential" information.

The answer to this specific question may be a "no", but future readers might need to consider these additional items as well.

Answer 2

I share m.edmondson idea, in the fact that sensitive information should be stored in database, (there are many techniques to dealing with sql-injection). Also for securing your site you should use HTTPS. But if you're going to store information that is not so sensitive for passing between pages you can use session variables, don forget to delete such variables as soon as possible. Remember you can aver going to the database to retrieve the data, only non-sensitive and time-consuming data should be stored in session scope.

Answer 3

No. You should never store this information in the session. Even encrypted this information is vulnerable. Sessions may get hijacked, a server may get compromised and then everything that is in memory that happens to be used in memory as plaintext will be viewable to anyone with a hex editor. If you need references to this information, you should create hashes that are stored and not replayable that reference the information in a secure datastore.

EDIT: For those that think session data is safe:

http://en.wikipedia.org/wiki/Session_hijacking
http://en.wikipedia.org/wiki/Session_fixation
http://en.wikipedia.org/wiki/Session_poisoning
http://www.owasp.org/index.php/2.0_Session_State_(in)security_(and_the_dangers_of_State_Server)

There are ways of protecting session data, but if you need to keep very sensitive information such as passwords or credit card numbers, the session is not the place for it. Try coding to the Sarbanes Oxley legal requirements for banking and medical applications, and you'll find in your first audit that this is one of the first things that gets checked.

http://en.wikipedia.org/wiki/Session_management

Answer 4

Anything sensitive should go straight to the database, and not hang around in memory longer than needed. I don't understand why you'd need to store passwords or credit card data in session variables anyway, are you passing them between pages?

Answer 5

Depends -- how much do you trust every other app on your server?

Answer 6

With all the downvotes being thrown around here, I'll add my own two cents:

I think that anything that stays in server memory, including ASP.NET Session data, is safe in unencrypted form. An attacker would have to be able to execute code on the server in order to read the memory.

On a side note, once it's stored in a database, data should be encrypted. If it's sent to the client, it should also be encrypted, but that's outside the scope of this question. Lastly, of course, the data must be encrypted on its way from the client to the server.