July 30, 2010     |
Home
FAQs
       SQL Server FAQ
       SQL Injection FAQ
       SQL Security Checklist
       SQL Server-Related Products
       SQL Server/MSDE-Based Applications
       SQL Server Version Database
Tools
       Lockdown Script
       Free Tools
       Free Analysis
       Group Policy Templates
       Commercial Tools
Community
       Discussions
       Links
About
Search
Network Toaster
SQL Security Forums
Note: SQLSecurity.com does not allow nor require registration due to privacy concerns for users. SQLSecurity.com is open and anonymous for all. Please report any abuse or profanity.
Forums > Discussions > SQL Server Security
Subject: ASP.NET session state
Prev Next
Add Reply

Author Messages
Stefan
02/10/2002 4:34 AM Quote Reply Alert 
I have web server + SQL server setup running a web application built on top of .Net. I configured ASP.NET to store session state in the SQL Server. The problem is session state contains sensitive data and by default it's stored in tempdb. Any suggestions for securing? Should I encrypt the data? Should I change the stored procedures to store is some other database to which I restrict access (tempdb allows guest)? Thanks.
Chip Andrews
02/10/2002 6:52 AM Quote Reply Alert 
Interesting question. I have to ask though, besides the obvious threat of a SQL Injection attack exposing the tempdb to queries, who else would have access to the SQL Server in order to get at tempdb? Someone would still need a valid login to come in from any other location than through the application itself. Please elaborate.
Stefan
02/10/2002 6:55 PM Quote Reply Alert 
No other logins aside from machinename\ASPNET and Administrators of course are granted access to the SQL Server. When I'm not familiar with is the meaning of the guest account which cannot be removed from tempdb. Reason for which I'm thinking of "relocating" the data to another database. Another solution would be to encrypt the session data using a similar mechanism used by ASP.NET to encrypt ViewState/cookie data (that is, using the machine key defined in machiine.config).
Chip Andrews
02/10/2002 11:37 PM Quote Reply Alert 
The guest account allows logins who have not been granted explicit access to the database to obtain access. However, in this case it is not a security issue since you are in control of all logins. A user must still have a valid login to gain access to the SQL Server at any level. You could definitely encrypt the data in the session table with a symmetric key but I don't see what that would buy you at this stage other than a performance hit of having to perform crypto on each request. The since they key location is also known, the attacker will simply have to collect it as well. But, if it helps you sleep at night feel free.
Add Reply
Forums > Discussions > SQL Server Security > ASP.NET session state
Quick Reply
Username:  
Subject:  
Body:
 



ActiveForums 3.6
Copyright 1999 by Chip Andrews   |  Privacy Statement  |  Terms Of Use