Does sensitive ASP.NET Session data need to be encrypted?

Question

Do ASP.NET Session[string key] data need to be encrypted to be secure?

If such data always stays on the server, doesn\'t that make it safe to store credit card infor

Answer 1

I share m.edmondson idea, in the fact that sensitive information should be stored in database, (there are many techniques to dealing with sql-injection). Also for securing your site you should use HTTPS. But if you're going to store information that is not so sensitive for passing between pages you can use session variables, don forget to delete such variables as soon as possible. Remember you can aver going to the database to retrieve the data, only non-sensitive and time-consuming data should be stored in session scope.