Simplifying .NET Session Management for Security Part 1

Simplifying .NET Session Management for Security Part 1


A “session” refers to a temporary interaction between a user and a web application, typically beginning when a user logs in and
ending when they log out or after a certain period of inactivity.

Client-Side Session Management:

Client-side session management involves storing session-related information on the user’s device, typically in the form of cookies.


  • Understanding: Cookies are small pieces of data stored on the client-side, containing information about the user’s session or preferences.
  • Threat: Cookies can be vulnerable to theft or manipulation, leading to unauthorized access.
  • Mitigation:
    • Do not make cookies available in plain text in storage or in transit.
    • Technical nitty-gritty:
      • Enable secure cookies with the “Secure” attribute for HTTPS-only transmission to protect against interception and tampering.
<httpCookies httpOnlyCookies="true" requireSSL="true" />

View State:

  • Definition: ViewState facilitate data retention of user interactions.
  • Threat: ViewState, if tampered with, can compromise the integrity of data on the client side.
  • Mitigation:
    • Do not make ViewState data available in plain text in storage or in transit and validate that ViewState data has not been tampered with.
    • Technical nitty-gritty:
    • Encrypt ViewState data and validate integrity to prevent tampering and maintain data integrity.
// Encrypt ViewState
protected override void SavePageStateToPersistenceMedium(object viewState)
    string encryptedState = Encrypt(viewState.ToString());
    // Save encryptedState to persistence medium


  • Definition: Query strings are parameters appended to the URL (your website address example:, containing data when it is the client and server.
  • Threat: Information passed through query strings can be exposed and manipulated.
  • Mitigation:
    • Avoid sensitive data in query strings; if needed, encrypt or use other secure methods to prevent exposure and tampering.
    • Technical nitty-gritty:
// Encrypt sensitive data before appending to the query string
string encryptedData = Encrypt(sensitiveData);
string queryString = $"?data={encryptedData}";

Server-Side Session Management:

When a user interacts with a web application, the server uses session state to keep track of their activities and preferences.
“State information” refers to the data associated with a specific user’s session that is stored on the server. This data is essential for maintaining the continuity of a user’s interaction with a web application across multiple requests. State information typically includes user-specific details, preferences, and any other relevant data that needs to persist throughout the duration of the user’s session.

Stay tuned for more details on Server-Side Session Management. 🙂

You can take Secure development courses online at the below location!

You can take Secure development courses instructor led below!

Some supplementary material for you to prepare for certification!

Leave a Reply

Your email address will not be published. Required fields are marked *

Social media & sharing icons powered by UltimatelySocial