I am developing a web application in which I plan to store some values in session variables. I plan to use SessionState service since the main reason I plan to use session variables is to reduce some part of the DB access (there will be at MOST 500 bytes of data per user).
Assuming that the user has their Session ID key, what must I do that the user cannot access the variables that I hide in the Session collection? Also do I need to take care about ViewState (although I plan to turn it off in this app., it would be nice to know)
Unless the user has root access to your server (which is where the session data is stored) you shouldn’t worry too much. But I guess that if the user had root access to your server you would have far bigger problems to worry about than session data.
The client cannot access data which is stored inside the session. Only server side code can access it. So it is up to you to decide what information you want to send to the client. All that the user sees is the session id (which is stored in a cookie), not the actual session data. This id is sent by the user on each request so that the server can find the corresponding data which in your case is stored in the memory of the state server that you have configured.