Store session (asp.net) in SQL Server - asp.net

If we want to store sessions in SQL Server, which table stores the sessions?
To implement ASP.NET SQL Server mode session state management, you must modify the element of your application's Web.config file as follows:
1.Set the mode attribute of the element to SQLServer to indicate that session state is stored in SQL Server.
2.Set the sqlConnectionString attribute to specify the connection string for SQL Server. For example:
sqlConnectionString="data source=MySQLServer;user id=<username>;password=<strongpassword>"
Note The user, , must have permissions to perform this operation on the database.
The modified element should appear as follows:
<sessionState
mode="SQLServer"
sqlConnectionString="data source=127.0.0.1;user id=<username>;password=<strongpassword>"
cookieless="false"
timeout="20"
/>
The question is that is there a particular table storing the sessions?
Store session in SQL Server is a vague concept.
Thanks.

You're supposed to run the ASP.Net SQL Server Registration Tool first. The tool will create the appropriate session state tables.

To use SQLServer mode, you must first be sure the ASP.NET session state database is installed on SQL Server. You can install the ASP.NET session state database using the Aspnet_regsql.exe tool.
Aspnet_regsql.exe is located at
%windir%\Microsoft.NET\Framework\v4.0.30319 ( 32 bit systems .net framework 4 )
Follow the following link to see how to add session table
How To configure SQL server to store session state

The other answers are correct in that you should use the Aspnet_regsql.exe tool to create the session database for you. But out of interest, once that is done, you can find all sessions stored in the temp sessions table.
For instance, my session database is called ASPState and the table of interest is called ASPStateTempSessions. ASP.NET calls the stored procedures to manage the sessions in this table.

Related

SQL Server to manage ASP.NET sessions doesn't work

I follow the direction in here How to configure SQL Server to manage ASP.NET sessions to create ASPState db.
I have 2 web application in IIS 7. In IIS web application setting, i go to "Session State" and set session state as "SQL Server" and provide connection string.
In each web application web.config, i add
<sessionState
mode="SQLServer"
allowCustomSqlDatabase="false"
sqlConnectionString="data source=server;user id=user;password=password"
cookieless="false"
timeout="7200"
/>
I create a session ,
Session["Data"] = "test"
in Web App A and go to Web App B in the same browser to print it
Response.Write(Session["Data"]);
It shows NOTHING. I can see there are data in table : ASPStateTempApplications and ASPStateTempSessions under ASPState Database. Also, i dont see any error in event log. Can anyone think anything i may do wrong?
Thanks!!
You can not get session that belongs to App-A from App-B and vice versa.
The sessions are connected with the cookies, and the cookies are different between app-a and app-b, are random made. Even if set some how the same cookies then next the database connects session with the Application ID, that are also different for each applications.
So even if you have the same database, the application id is different, and the cookies are different, and you can not get session from a to b.
The only possible way to archive that is to make your custom session code, and some how knows that you have the same use on app-A and app-B, so to connected them together.

ASP.NET's AspStateTempSessions table

Using SqlServer session state provider with ASP.NET.
From : http://msdn.microsoft.com/en-us/library/aa478952.aspx ,
the ASPStateTempSessions table's SessionId column is made up of :
"Session Id" + "Application Id".
My question is, wouldn't "Session Id" be enough to make this column unique ? If so, is adding the "Application Id" just some additional security to make sure sessions can't be accessed across application boundaries ?
I'm just trying to understand session ids (the 24 character ones) a bit better.
EDIT : sorry, I should clarify. Assume that for all of the applications on the domain, the ASP.NET sessionState cookieName is explicitly set to a unique value for each application.
e.g :
for app 1 : <sessionState mode="SQLServer" ... cookieName="ASP.NET_SessionId_App1" > ..
for app 2 : <sessionState mode="SQLServer" ... cookieName="ASP.NET_SessionId_App2" > ..
(I'm thinking this will make each app use a different session ID ?).
If you are looking at a single application, yes - Session Id would be enough to make the column unique. However - the database schema is designed to support multiple applications in one Database. The application ID makes it unique when there are multiple records. It has nothing to do with Security.
ASP.NET Sql Server Session State Provider database schema is designed to support multiple web applications i.e. you can have same sql server database backing up sessions from multiple web sites.

Shrinking Session State in ASP.Net 4.0

I need more information on new feature in ASP.Net 4.0 Shrinking Session State.
My question is I am using session-state provider that stores data in a Microsoft SQL Server database. If I add compressionEnabled="true" key in web.config file as shown below and not do any code change, will application performance improve. How to check whether compression of sessions are happening and stored in SQL Server. Can any one share any sample code to implement and test this.
<sessionState
mode="SqlServer"
sqlConnectionString="data source=dbserver;Initial Catalog=aspnetstate"
allowCustomSqlDatabase="true"
compressionEnabled="true"
/>
Once you enable compression, session data will be GZip compressed when you use a state server or SQL server but will cost additional CPU cycles on your web server to perform the compression/decompression. This will result in smaller data being transmitted over the wire which will improve performance. Notice that while this reduces the actual session data it is still considered as bad practice to store big amounts of data into the session.

Difference between "InProc" & "stateServer" mode in SessionState on ASP.NET

like the title shows I want to know what is the difference between "InProc" & "stateServer" mode in SessionState on ASP.NET.
Thanks
In InProc mode, a live Session object is stored in RAM in the ASP.NET worker process (aspnet_wp.exe). It is usually the fastest, but more session data means the more memory is used on the web server, and that can affect performance.
In StateServer mode, each session is converted to XML (serialized) and stored in memory in a separate process (aspnet_state.exe). This state Server can run on another machine.
ASP.NET Session State FAQ
This MSDN article covers SessionState in detail.
Off - Used to disable sessions on website.
InProc - Sessions are stored inside of application's process on web server. Depending of IIS version used that could be aspnet_wp.exe or w3wp.exe.
StateServer - Sessions are stored using State Server windows service.
SQLServer - SQL Server database is used to store sessions' data
Custom - Manage session state using custom session state provider. Storage could be anything you implement in provider.
To specify session state mode in web.config, select one of these values for sessionState mode parameter:
In web.config file, <sessionState> element is located under <configuration>, <system.web> element.

Session state. How to manage session with custom mode?

I am working on a website and this is my first web project.
Scenario for Session
I have created a database for my project with security level little bit high. I want to manage session for each and every user who is logging in to my website. Session state can be used using Cookie as well as URL, only one at a time.
Now I went over with all four session state modes.
i.e
1. InProc 2. State Server 3. Sql Server 4. Custom
Now after reviewing from all these modes I am in confusion which one should I use Sql Server or Custom.
Basically i want to store session related information in my own database instead of Aspnet_db which is a default database provided by microsoft. I have created all tables related to login and registration. But I dont know how to store session into my database.
What tables do I need to create so as to maintain into database.
I want to create a complete log of session and login related information into my database(Persistant atleast for 1 year).
I want to use machinekey as AES and SHA1.
<sessionState mode="Custom" cookieless="AutoDetect" timeout="15" regenerateExpiredSessionId="true" stateNetworkTimeout="10" >
</sessionState>
<machineKey decryption="AES"
validation="SHA1"
decryptionKey="7E047D50A7E430181CCAF7E0D1771330D15D8A58AEDB8A1158F97EEF59BEB45D"
validationKey="68B439A210151231F3DBB3F3985E220CFEFC0662196B301B84105807E3AD27B6475DFC8BB546EC69421F38C1204ACFF7914188B5003C1DCF3E903E01A03C8578"/>
<add name="conString" connectionString="Data Source=192.168.1.5; Initial Catalog=dbName; Integrated Security=True;" providerName="System.Data.SqlClient" />
What all things do i need to specify in webconfig ?
My Data Source= 192.168.1.5
Database name= db.mdf
What I need to know about
What tables do i need to add to my
database to store session related
information. eg. Session id (Any
other field is also stored or not),
Session Time, Session Start Time,
Session End Time, Session Expire
Time. I dont know what all things
are usually taken.
Do I need to encrypt Session Id
before storing into database. If Yes
Encryption will be automatic or do i need to write some code to do this other than that I wrote in web config above.
How mode='custom' will be used into
web config using my database.
in following code
<sessionState mode="Custom" cookieless="AutoDetect" timeout="15" regenerateExpiredSessionId="true" stateNetworkTimeout="10" >
</sessionState>
If you're using the SQL Server session provider, you should run aspnet_regsql to create the tables you need:
aspnet_regsql –E -S localhost –ssadd –sstype p
(replace localhost with .\SQLEXPRESS if you're using SQL Express)
You can also specify a custom DB name with the -d flag if you don't want the command to create the aspnetdb database. You can also run the command without flags to use wizard mode.
If you want to build a custom session provider (not a small task), you might start by looking at the script that's run by the command above:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallPersistSqlState.sql
Although it depends on your requirements, generally encryption of session state doesn't add much value. However, if your data is particularly sensitive, then it might be worth considering. Note, though, that the biggest risk with session state normally isn't on the DB side, rather it's on the client side, with one user being able to steal a session from another user, by getting access to their session cookie. Because of that, before I resorted to encrypting on the DB side, I would at least use SSL for all pages that reference the session cookie.
In case it helps, I cover many aspects of customizing session state in my book, although I stop short of demonstrating a full custom provider: Ultra-Fast ASP.NET.
Question set 1:
Depends on how you implement your provider. MSDN will tell you how to do that.
I would say no, but I'm not a security expert.
Set 2:
What do you mean?

Resources