8.10. Database Security for SQL Session State
SQL Server session state is the most common out-of-process session state mode used by developers. As a result of its popularity, a few quick notes around the database store are in order. The thing to keep in mind when using SQL Server session state is that the information sitting in the session state database is effectively a snapshot of various pieces of application data associated with individual users. If you have sensitive information or privacy related information stored in session, the potential exists for other malicious code to reach into the SQL Server session state store and retrieve it.
Prior to ASP.NET 2.0, you could store session state inside of tempdb or inside of a specific database called ASPState. Both of these deployment options open up the potential for session data in one application being accessible from another application. The specific risk is that each ASP.NET application that is pointed either tempdb or ASPState has to be configured with dbo-level credentials. The entire schema created by the SQL Server-based session state feature is owned by the dbo user. Furthermore, the code inside of the SQL Server session state provider prepends all of the stored procedure names with dbo.
As a result, if multiple ASP.NET applications are configured to point at one of the common session state databases, page code inside of these ASP.NET applications can easily issue a select statement directly against the session state ...