Re: Session variable. Secure ?

Hi,

well - as long as you have a secret (connectionstring with password) you can't escape having that secret in memory in plain text. Even if you don't cache it somehow. Strings in .NET are not zeroed out and will be GCed at some point of time - so they will end up in memory for a longer time as well as in crash dumps and page files. So caching won't hurt you.

Of course - as henning pointed out - eliminating the secret is the best approach. Use integrated security for the database (if possible) and no password is exposed at all.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hello Jim,

If you keep the decrypted value in Memory, this has three side effect:
The value will most likely be in the page file, any crash dump and is
accessible from any appliation on the server running either under the
same security context or has the debug privilege enabled.

Which database server do you use? If you are running Windows2003 with
SQL Server, you could run the application pool under a special
database access user and access the sql server with integrated
authentication. In this case you woudn't need to encrypt your
connetion string. The database user could then be locked down on the
database itself.

The session variable may or may not be transmitted over the wire. If
you are using an out of proess session provider (SQL Server for
example) the session state will be serialized and transferred to the
sql server.

But as Mr. Baier points out, the session state is never transmitted to
the client.

The whole thing depends on the amount of security you need. With a
defense-in-depth approach, you should keep the connection string
encrypted most of the time.

Greetings,
Henning Krause

-----Original Message-----
From: Jim Andersen [mailto:nospam@xxxxxxxxx]
Posted At: Montag, 23. Januar 2006 15:09
Posted To: microsoft.public.dotnet.security
Conversation: Session variable. Secure ?
Subject: Session variable. Secure ?
I'm developing a secure app. So I have a connectionstring in my
web.config. That string is encrypted. So it must be decrypted when I
want to use it.

The question is, do I have to call the decrypt procedure every time
(which is a LOT of times), or can I do it once, and then have the
unencrypted value somewhere handy, like a global variable/constant on
the webserver, a session variable or something else ? Or do
session/application variables get submitted "across the wire" og
stored in a cookie ?

thx
/jim



.

Relevant Pages

  • RE: Accessing SqlServer(Express) data on the server
    ... As for the ASP.NET, it is built upon the .net framework, so generally all ... you can change the connectionstring to point to another ... manually create another database (named "MyASPNETDB" in SQL Express ... you can even use SQL Server authentication(specify username/password ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ADP - Copy mdb table to SQL Server
    ... opening a table using ADO in code requires ... connect to sql server and to your database. ... I suspect that the ConnectionString Provider I am using is incorrect - ...
    (microsoft.public.access.formscoding)
  • Re: Membership Provider deployment/App_Data directory just wont die!!! :-)
    ... Of course you don't care about Using Access. ... database for other purposes. ... connectionstring, and have defined a new provider that uses this ... aspnetdb database that is registered on the SQL Server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Session variable. Secure ?
    ... SQL Server, you could run the application pool under a special database ... do I have to call the decrypt procedure ... Or do session/application variables get ...
    (microsoft.public.dotnet.security)
  • Re: I seem to be locked out of my database
    ... some reason the SQL Server was switched over to SQL Server only ... tell us which account you think should be using the SQL Server ... open an ADO connection from your webpage), try to connect to the database ... I have a connectionstring right now that reads like this: ...
    (microsoft.public.sqlserver.security)