I am using the Redis cache Session State Provider in my MVC application. Of course, all the settings for the provider are in my Web.config. The application works if I just put Host and Key and all this is like simple strings, so it looks like this:
<sessionState mode="Custom" customProvider="MySessionStateStore"> <providers> <add type="Microsoft.Web.Redis.RedisSessionStateProvider" name="MySessionStateStore" host = "[HOST]" port = "6379" accessKey = "[KEY]" ssl = "false" throwOnError = "true" retryTimeoutInMilliseconds = "5000" databaseId = "0" applicationName = "TRAXProSurvey" connectionTimeoutInMilliseconds = "5000" operationTimeoutInMilliseconds = "1000" /> </providers> </sessionState>
... where "[HOST]" and "[KEY]" instead of the actual values. But this is not entirely safe, is it? Is there any way to hide this information somehow?
I know about using application settings in Azure configuration - I actually use a pair for something else. But I do not find a way to use them here specifically. I can create an application configuration variable, but what is the way to access this value in sessionState? I tried using System.Configuration.ConfigurationManager.AppSettings ("[name]") - only that, with quotes and with single quotes.
Maybe I just encrypted Web.config .... I found that you can add "<" MSDeployEnableWebConfigEncryptRule "> true <'/ MSDeployEnableWebConfigEncryptRule'>" (without any single quotes) in .pubxml - but that doesn't work on Regular Azure sites
I also found articles / examples for encrypting Web.config sections using aspnet_regiis .... but this will not work in a web farm environment such as Azure, right?
So what are the other options (if any)? ... or is it just not possible? Thanks!
source share