ASP.NET: State Server Gems

The September 2005 issue of MSDN Magazine contains an excellent article from one of program managers on the Web Platform and Tools Team at Microsoft--Michael Volodarsky. The article examines and suggests best practices to design and deploy high-performance and secure session solutions. If you're doing any serious ASP.NET development (and not just with coming-very-soon 2.0 version) that article is a must-read.

In particular, I'd like to emphasize a passage from the text regarding the ASP.NET state-server--the external process (aspnet_state.exe) that, started as a Windows service, serves as a session state out-of-process data store. In regard to this component, it is important to note that it doesn’t oppose any authentication barrier to requestors. In other words, it means that anyone who can get access to the network (and place calls to the server) is potentially free to access session data for all sessions. To protect session state and make sure that it is only accessed by the Web server machine, you can use a firewall or IPSec policies. Another security related countermeasure consists in changing the default port number (42424 by default). However, simply changing this number in the web.config file (precisely in the TCP connection string) is not enough. In ASP.NET 2.0, as well as in ASP.NET 1.x, you also need to edit a registry key. Locate the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state\Parameters

and write the port number in the REG_DWORD Port entry.

Another handy suggestion from the Michael's article regards remote connections to the state server process. By default, the state server only listens to local loopback interface for connections. If the state server is on another machine than the Web server, you must enable remote connection explicitly. Once again, this requires another registry change. Under the aforementioned key, set the REG_DWORD AllowRemoteConnection entry to a nonzero value.