Securing the ASP.NET Session-State Connection String
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
When using either of the out-of-process methods for maintaining session state — by using the ASP.NET state service or Microsoft SQL Server — the ASP.NET session state connection string is stored in the Machine.config or Web.config file in plain text. You can further secure the ASP.NET session state connection strings by placing the session state connection strings in the registry. Then the Machine.config or Web.config files are modified to point to the corresponding registry keys.
For more information about configuring ASP.NET to store the session connection strings in the registry, see Knowledge Base article 329290, HOW TO: Use the ASP.NET Utility to Encrypt Credentials and Session State Connection Strings.
|Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Registry Reference on the Microsoft Windows Server 2003 Deployment Kit companion CD.|