Sunday, July 13, 2008

Configuring Session State Settings for ASP.NET with IIS 7.0

In the default configuration, IIS manages session state for ASP.NET in much the same way as it manages session state for ASP. Beyond the basic settings, however, you have many more options. For ASP.NET pages, you use the Enable Session State setting of the Pages And Controls feature as the master control to turn on or off session state management or to configure IIS to use a read-only session state. You use the Session State feature to fine tune how session state management is used.

By default, IIS maintains session state in process as does ASP. Each ASP.NET application configured on your server can have its own session state settings. When you've activated the ASP.NET State Service and configured it to start automatically, you can use out-of-process session state management for ASP.NET. Out-of-process state management ensures that session state information is preserved when an application's worker process is recycled. You can configure out-of-process state management to use a State Server or a Microsoft SQL Server database. Before you configure a SQL Server for session state, you must run the InstallSqlState.sql script on the server. By default, this script is stored in %SystemRoot%\Microsoft.NET\Framework\FrameworkVersion, where FrameworkVersion is the version of the .NET Framework you are using, such as V2.0.50727.

You turn on or off session state management or use a read-only session state by following these steps:

1. In IIS Manager, navigate to the level of the configuration hierarchy you want to manage, and then display the Pages And Controls page by double-clicking the Pages And Controls feature.

2. On the Pages And Controls page, the Enable Session State text box shows the current session state. As necessary, change this setting to False to disable session state maintenance, True to enable session state maintenance, or ReadOnly to use a read-only session state.

3. In the Actions pane, click Apply to save your settings.


Once you've enabled a ReadWrite or ReadOnly session state, you can use the settings of the Session State feature to optimize the session state configuration. Follow these steps:

1. In IIS Manager, navigate to the level of the configuration hierarchy you want to manage, and then display the Session State page by double-clicking the Session State feature.

2. On the Session State Mode Settings frame in the main pane, use the following options to set the session state mode:

• Not Enabled Select this option to disable session state.

• In Process Select this option to store session state data for a managed-code application in the worker process where the application runs. This is the default setting.

• Custom Select this option to configure IIS to use a custom provider to handle session state for ASP.NET applications.

• State Server Select this option to enable the ASP.NET State Service and store session state data outside the worker process where the application runs. The ASP.NET State Service stores the session state in an internal database by default or in a database of your choosing. You must start the service and configure it for automatic startup.

• SQL Server Select this option to configure IIS to use a SQL Server database to store session state data instead of storing it in the worker process where the application runs. The ASP.NET State Service stores the session state in the SQL Server database you designate. You must start the service and configure it for automatic startup.

3. With the State Server or SQL Server option, the Connection String text box sets the connection string that is used to connect to the state server or SQL Server. If you click the related selection drop-down list, you can choose a previously created connection string to use. If you click the related Create button, you create the required connection string by using the Create Connection String dialog box.

4. With the State Server or SQL Server option enabled, the related Time-Out text box sets the time, in seconds, that the connection will be maintained. The default for a state server is 10 seconds. The default for a server running SQL Server is 30 seconds.

5. With the SQL Server option enabled, you can select the Enable Custom Database check box to enable a custom SQL Server database for storing session state data.

6. On the Cookie Settings pane, in the Mode drop-down list, select the desired item to specify how cookies are used to store session state data. The items are:

• Auto Detect IIS uses cookies if the browser supports cookies and cookie support is enabled. Otherwise, IIS doesn't use cookies.

• Use Cookies Allows IIS to track the session state by using cookies. IIS passes the session state in cookies for all requests between a client browser and the Web server. Because cookies do not require redirection, cookies allow you to track session state more efficiently than any of the methods that do not use cookies. Using cookies also has several other advantages. Cookies allow users to bookmark Web pages, and they ensure that state is retained if a user leaves one site to visit another and then returns to the original site.

• Use Device Profile IIS uses cookies if the device profile supports cookies regardless of whether cookie support is enabled or disabled. The only time that IIS doesn't use cookies is when the device profile indicates that the browser doesn't support cookies.

• Use URI IIS inserts the session ID as a query string in the Uniform Resource Identifier (URI) request, and then the URI is redirected to the originally requested URL. Because the changed URI request is used for the duration of the session, no cookie is necessary.

7. Keep the following in mind when you are specifying how cookies are used to store session state data:

• When you use the Auto-Detect cookie, Use Device Profile, or Use URI modes, the Regenerate Expired Session ID check box is selected automatically. This ensures that IIS rejects and reissues session IDs that do not have active sessions. You should require that expired session IDs be regenerated because this ensures that IIS expires and regenerates tokens, which gives a potential attacker less time to capture a cookie and gain access to server content. If you want to disable session ID regeneration, as may be necessary when initially testing a new deployment in a development environment, clear this check box. Be sure to re-enable this feature later to enhance server security.

• When you use the Auto-Detect cookie, Use Cookies, or Use Device Profile modes, the entry in the Time-Out (In Minutes) text box sets the period of time that IIS maintains a session object after the last request associated with the object is made. The default time-out is 20 minutes. For a high-usage application in which you expect users to move quickly from page to page, you might want to set a fairly low time-out value, such as 5 or 10 minutes. On the other hand, if it's critical that the user's session is maintained to complete a transaction, you might want to set a long time-out value, such as 60 minutes.

• When you use the Auto-Detect cookie, Use Cookies, or Use Device Profile modes, the Name text box sets a name for the cookie. The default is ASP.NET_SessionId. To enhance security, you may want to change this value to a name that isn't as readily identifiable as the session ID.

• The Use Hosting Identity For Impersonation option enables Windows authentication for remote connections using the host process identity. Typically, this is the setting you want to use to ensure that IIS can read and write session state data.

8. In the Actions pane, click Apply to save your settings.

Source of Information : Microsoft Press Internet Information Services IIS.7.0 Administrators Pocket Consultant

No comments: