Session state probably does not strike most people as having much of anything to do with security. However, some security-related design points are worth touching on when thinking about how session state is used in an application. ASP.NET 3.5 plays an important role in securing cookieless sessions as well as locking down behavior in lower trust levels.
This chapter covers the following topics on ASP.NET 3.5 session state:
Session state and the concept of a logon session.
How session data is partitioned across applications.
Cookie-based session IDs.
Cookieless sessions and session ID regeneration.
Configuring session state inside IIS 7.0.
Protecting against session state denial-of-service attacks.
Trust-level restrictions when using session state.
Database security when using storing session state in SQL Server.
Securing the out-of-process state server.