Does sensitive ASP.NET Session data need to be encrypted?

Question

Do ASP.NET Session[string key] data need to be encrypted to be secure?

If such data always stays on the server, doesn\'t that make it safe to store credit card infor

Answer 1

1. The question refers to the data being stored in memory on the same server, but that's just the default configuration. You can also set up a state server, write to a nosql db etc. Stateless web servers are becoming increasingly more common thanks to the rise of the cloud and platforms-as-a-service.

2. Depending on your security policy, credit cards and passwords may not be the only information that you consider "confidential". Some orgs consider customer information such as addresses to be confidential as well. This means that any multi-step session checkout would contain "confidential" information.

The answer to this specific question may be a "no", but future readers might need to consider these additional items as well.