8.9. Trust Levels and Session State

As with just about every other aspect of ASP.NET, the session state feature is affected by the trust-level settings for your machine and your application. For in-process session state, the effect of the trust level is limited to restrictions around serialization and deserialization, which were originally introduced with ASP.NET 2.0 (a bit more on that later in this section). However, both SQL Server and the OOP session state server require applications to run in Medium trust or higher for these features to be used.

You can take any of the previous sample applications that used SQL Server-based session state and add a <trust /> level element as follows:

<trust level="Low"/>

You get back an error page to the effect that you can't use session state at that trust level. If you tweak the trust level to Medium, the application will start working again.

Things get a bit interesting, though, if you take an additional step and edit the actual trust policy file (for all the details on trust level and their relationship to trust policy files, see Chapter 4). Change the trust level to use a custom trust level:

<trust level="Medium_Custom"/>

This custom trust level sets the AspNetHostingPermission.Level to Medium, so effectively the application is running a modified version of the Medium trust level. Then in the trust policy file associated with this trust level, remove the following permission element:

<IPermission class="SqlClientPermission" version="1" ...

Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.