Encrypting Session Data

The .NET Framework session providers can be configured to encrypt session data in your ASP.NET client application using AES. Encryption is performed in your client application before it is sent to the ScaleOut service. A password and salt must be specified to derive an AES encryption key.

Important

The password and salt must be set to the same values across all the web servers in your farm.

The password that you supply is run through PBKDF2 to derive a 256-bit AES encryption key. The salt value is an 8-byte value (expressed as a 64-bit unsigned integer) used to initialize the cryptographic hash algorithm that derives the key from the supplied password.

Note

Any 64-bit integer can be used here as the cryptographic salt. Valid numbers fall in the range of 0 to 18446744073709551615 (inclusive).

The location of the password and salt can be in one of two places in the web.config file.

Specifying the Password in AppSettings

If the session provider’s encryptionPasswordLocation attribute is set to "AppSettings", the provider will look in the web.config’s <appSettings> section for the encryption password and salt. The following two entries must be added (with the values replaced by your own password/salt):

<appSettings>
  <add key="scaleoutSessionCryptoPassword" value="My secret password"/>
  <add key="scaleoutSessionCryptoSalt" value="1250743594205046691"/>
</appSettings>

Specifying the Password in the <scaleoutEncryptedSessions> Section

If the session provider’s encryptionPasswordLocation attribute is set to "ConfigSection", the provider will look in your web.config’s <scaleoutEncryptedSessions> section for the encryption password and salt. This approach may be preferable to using AppSettings if you want to protect the encryption password with .NET’s Protected Configuration feature.

First, edit your application’s web.config file to add the handler for the configuration section:

<configSections>
  <section name="scaleoutEncryptedSessions" type="Scaleout.AspNet.ScaleoutEncryptedSessionStateSection, Scaleout.AspNet" />
</configSections>

Next, add a <scaleoutEncryptedSessions> section and specify the password and salt to use for encryption:

<scaleoutEncryptedSessions
    password="My secret password"
    salt="1250743594205046691" />

Optional, but recommended: Use .NET’s Protected Configuration feature to encrypt the <scaleoutEncryptedSessions> section. See the Protecting .NET Framework Configuration Sections topic in this guide for best practices when using Proctected Configuration in a web farm.