There are 3 different ways you can store session in an ASP.NET application:
InProc means we store the data in the same process (in memory) on the web server, in the worker process. This has some distinct advantages in that it is faster since everything is in the same process. It also means you can store anything in session as you don’t have to worry about serializing the data.
State Server is a process that runs separate from the worker process. This can run on the same machine or on a different machine. The advantage to this one is that if the worker process crashes, you don’t lose your session. Also, you can do some sharing of session across multiple servers in the web farm. To enable using State Server, you add the following configuration setting:
SQL Server mode is similar to State Server except that the data is stored in a SQL Server database. This is the best option if you are expecting heavy use as SQL is designed to handle large loads of requests. To enable SQL Server, you add the following configuration setting:
For the last two choices, it is best to encrypt the connection string for security purposes. For steps to do that, check out Encrypting Configuration Information Using Protected Configuration.
There is another method, but it is creating your own provider. You can get more information on doing that at Implementing a Session-State Store Provider.