Does sensitive ASP.NET Session data need to be encrypted?

Question

Do ASP.NET Session[string key] data need to be encrypted to be secure?

If such data always stays on the server, doesn\'t that make it safe to store credit card infor

Answer 1

No. You should never store this information in the session. Even encrypted this information is vulnerable. Sessions may get hijacked, a server may get compromised and then everything that is in memory that happens to be used in memory as plaintext will be viewable to anyone with a hex editor. If you need references to this information, you should create hashes that are stored and not replayable that reference the information in a secure datastore.

EDIT: For those that think session data is safe:

http://en.wikipedia.org/wiki/Session_hijacking
http://en.wikipedia.org/wiki/Session_fixation
http://en.wikipedia.org/wiki/Session_poisoning
http://www.owasp.org/index.php/2.0_Session_State_(in)security_(and_the_dangers_of_State_Server)

There are ways of protecting session data, but if you need to keep very sensitive information such as passwords or credit card numbers, the session is not the place for it. Try coding to the Sarbanes Oxley legal requirements for banking and medical applications, and you'll find in your first audit that this is one of the first things that gets checked.

http://en.wikipedia.org/wiki/Session_management