Other Session Configuration Settings

ASP.NET supports some other configuration settings not available through the IIS configuration utility. These are values you need to type into the Web.Config file directly.

If you don't like the rather obvious name of the session ID cookie made up by ASP.NET (the default is SessionID), you may change it. The cookieName setting lets you change that name. You might want to rename the cookie as a security measure to hamper hackers in their attempts to hijack a session key.

If you want to replace an expired session ID with a new one, setting the regenerateExpiredSessionId setting to true will perform that task. This is only for cookieless sessions.

If you don't like the SQL Server database already provided to support ASP.NET's session state, you may apply your own database. The allowCustomSqlDatabase setting turns this feature on.

When using SQL Server to store session data, ASP.NET has to act as a client of SQL Server. Normally, the ASP.NET process identity is impersonated. You may instruct ASP.NET to use the user credentials supplied to the identity configuration element within Web.Config by setting the mode attribute to Custom. By setting the mode attribute to SQLServer, you tell ASP.NET to use a trusted connection.

Used when the mode attribute is set to StateServer, the stateNetworkTimeout is for setting the number of seconds for the idle time limits of the TCP/IP network connection between the Web server and the state server. The default is 10.

Finally, you may instruct ASP.NET to use a custom provider by setting the name of the provider in the custom element. For this to work the provider must be specified elsewhere in Web.Config (specifically in the providers element).