ASP.Net SessionState using SQL Server - is the data encrypted?

Question

When using Sql Server to store and manage the SessionState, is the session data stored in the database using encryption?

When I look at the data in the ASPNet database, the data in the "SessionItemLong" in the ASPStateTempSessions columns appears to be hexadecimal data. Is this data being encrypted before being stored in the database? And if so, where is the key that is being used to encrypt the data and what algorithm is being used to encrypt the data?

Also, the Session state stores the object using serialization. Which serialization is used? (binary or XML)

Answer 1

There are no encryption there. The data is stored using binary serialization (it's much more faster than xml one). For details look at the SessionStateUtility class (you can browse it using free Reflector). This is the code which is used for serialization:

internal static void Serialize(SessionStateStoreData item, Stream stream)
{
    bool flag = true;
    bool flag2 = true;
    BinaryWriter writer = new BinaryWriter(stream);
    writer.Write(item.Timeout);
    if ((item.Items == null) || (item.Items.Count == 0))
    {
        flag = false;
    }
    writer.Write(flag);
    if ((item.StaticObjects == null) || item.StaticObjects.NeverAccessed)
    {
        flag2 = false;
    }
    writer.Write(flag2);
    if (flag)
    {
        ((SessionStateItemCollection) item.Items).Serialize(writer);
    }
    if (flag2)
    {
        item.StaticObjects.Serialize(writer);
    }
    writer.Write((byte) 0xff);
}

Answer 2

I had this problem recently, and had to deconstruct stored state to investigate a performance issue; the rough code was something like:

byte[] blob = ... // TODO
using (var ms = new MemoryStream(blob))
using (BinaryReader reader = new BinaryReader(ms)) {
    int len = reader.ReadInt32();
    bool f1 = reader.ReadBoolean(), f2 = reader.ReadBoolean();
    SessionStateItemCollection items = null;
    HttpStaticObjectsCollection sitems = null;
    if (f1) {
        items = SessionStateItemCollection.Deserialize(reader);
    }
    if (f2) {
        sitems = HttpStaticObjectsCollection.Deserialize(reader);
    }
    if (reader.ReadByte() != 0xFF) {
        throw new InvalidOperationException("corrupt");
    }
    if (items != null) {
        int max = items.Count;
        for (int i = 0; i < max; i++) {
            object obj = items[i];
            Console.WriteLine("{0}\t{1}", items.Keys[i],
                obj == null ? "n/a" : obj.GetType().FullName);
        }
    }
}