Session state. How to manage session with custom mode?

Question

I am working on a website and this is my first web project.

Scenario for Session

I have created a database for my project with security level little bit high. I want to manage session for each and every user who is logging in to my website. Session state can be used using Cookie as well as URL, only one at a time.

Now I went over with all four session state modes. i.e 1. InProc 2. State Server 3. Sql Server 4. Custom

Now after reviewing from all these modes I am in confusion which one should I use Sql Server or Custom.

Basically i want to store session related information in my own database instead of Aspnet_db which is a default database provided by microsoft. I have created all tables related to login and registration. But I dont know how to store session into my database. What tables do I need to create so as to maintain into database.

I want to create a complete log of session and login related information into my database(Persistant atleast for 1 year). I want to use machinekey as AES and SHA1.

<sessionState mode="Custom" cookieless="AutoDetect" timeout="15" regenerateExpiredSessionId="true" stateNetworkTimeout="10" >
    </sessionState>
    <machineKey decryption="AES" 
                validation="SHA1"  
                decryptionKey="7E047D50A7E430181CCAF7E0D1771330D15D8A58AEDB8A1158F97EEF59BEB45D" 
                validationKey="68B439A210151231F3DBB3F3985E220CFEFC0662196B301B84105807E3AD27B6475DFC8BB546EC69421F38C1204ACFF7914188B5003C1DCF3E903E01A03C8578"/>

<add name="conString" connectionString="Data Source=192.168.1.5; Initial Catalog=dbName; Integrated Security=True;" providerName="System.Data.SqlClient" />

What all things do i need to specify in webconfig ?

My Data Source= 192.168.1.5 Database name= db.mdf

What I need to know about

1. What tables do i need to add to my database to store session related information. eg. Session id (Any other field is also stored or not), Session Time, Session Start Time, Session End Time, Session Expire Time. I dont know what all things are usually taken.
2. Do I need to encrypt Session Id before storing into database. If Yes

Encryption will be automatic or do i need to write some code to do this other than that I wrote in web config above.

1. How mode='custom' will be used into web config using my database.

in following code

<sessionState mode="Custom" cookieless="AutoDetect" timeout="15" regenerateExpiredSessionId="true" stateNetworkTimeout="10" > 
</sessionState> 

Answer 1

Question set 1:

1. Depends on how you implement your provider. MSDN will tell you how to do that.
2. I would say no, but I'm not a security expert.

Set 2:

1. What do you mean?

Answer 2

If you're using the SQL Server session provider, you should run aspnet_regsql to create the tables you need:

aspnet_regsql –E -S localhost –ssadd –sstype p

(replace localhost with .\SQLEXPRESS if you're using SQL Express)

You can also specify a custom DB name with the -d flag if you don't want the command to create the aspnetdb database. You can also run the command without flags to use wizard mode.

If you want to build a custom session provider (not a small task), you might start by looking at the script that's run by the command above:

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallPersistSqlState.sql

Although it depends on your requirements, generally encryption of session state doesn't add much value. However, if your data is particularly sensitive, then it might be worth considering. Note, though, that the biggest risk with session state normally isn't on the DB side, rather it's on the client side, with one user being able to steal a session from another user, by getting access to their session cookie. Because of that, before I resorted to encrypting on the DB side, I would at least use SSL for all pages that reference the session cookie.

In case it helps, I cover many aspects of customizing session state in my book, although I stop short of demonstrating a full custom provider: Ultra-Fast ASP.NET.