"The shortest distance between two points is under construction."
-- Noelie Alito


StateManager reference
To view class library information, you can:
StateManager.config reference
The StateManager.config file must be placed in the web application's root folder. The main structure of the document is below.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
      <StateManager>   
            <Settings
                  SessionExpireMinutes="30"    
                  PersistedExpireDays="30"
                  HideErrors="false"
                  MaxCookies="1"
            />
            <SessionEncryptionSettings
                  Enabled="true"
                  Algorithm="Rijndael"
                  Key="ABCDEFGHIJ123456"
                  InitVector="ABCDEFGHIJ123456"
            />
            <PersistedEncryptionSettings
                  Enabled="true"
                  Algorithm="Rijndael"
                  Key="ABCDEFGHIJ123456"
                  InitVector="ABCDEFGHIJ123456"
            />
      </StateManager>
</configuration>

Settings Node
SessionExpireMinutes [int] Time (in minutes) for the session to expire. Each request is tagged with a new session time. If the time between requests exceeds this time, the session is invalidated.
PersistedExpireDays [int] Time (in days) values are stored in the persisted cookie. When a session is initiated, values found in the persisted cookie are rehydrated in the State class.
HideErrors [true|false] Boolean value indicating whether or not errors generated within the module are thrown to the application. Generally, it's best to leave this to "true" in a production environment, which will cause all errors to be eaten. Most of the time, errors within the module are recoverable. If errors are thrown to the application, it may create a situation where the errors are unrecoverable and persisted on each request (for example, when encryption keys are changed).
MaxCookies [int] The maximum number of cookies to write while serializing the data. If the length of the data exceeds 4,096 bytes, the data will "spill over" into another cookie, up to the maximum number of cookies specified. As a best practice, this should be kept to the lowest number as possible. To profile an application, trace data can be examined that shows the length of each cookie.

Note: While RFC2109 specifies that each domain should allow for at least 20 cookies containing 4K of data each, IIS, by default, limits each request header to 16K. See this INF for more information on changing this setting in IIS, if it becomes necessary due to the number of cookies the application is generating.

SessionEncryptionSettings and PersistedEncryptionSettings Nodes
Enabled [true|false] Boolean value indicating whether encryption is enabled for either the session or persisted cookies. If set to false, the objects are serialized but not encrypted in the cookie. While this has a large performance improvement, it should only be done when the StateManager manages non-critical information. Other fields (below) are required but ignored. When set to true, encryption is enabled, using the settings as outlined below.
Algorithm [Rijndael|Des|TripleDes|Rc2] One of four possible algorithms. Each supports a different key and initialization vector lengths. Additional information is available in the StateManager documentation links above.
Key [string] Key (in ASCII characters) used to create the encryption key bytes. Generally 8, 16, 24, or 32 bytes, depending on the algorithm. ASCII is generally used for encoding because it has a 1:1 character to byte ratio, needed to satisfy the 64, 128, 192, or 256 bit encryption key lengths (1 byte = 8 bits). If HideErrors is true, the StateManager will pad or truncate the key as necessary to satisfy that requirement if the values are outside their required range.
InitVector [string] Initialization Vector, typically 8 or 16 bytes, is similar to a salt value in that ideally, it is a new, random value with each encryption set. If randomized per user, identical plain text would encrypt to different ciphertext values, thereby increasing the security. (Each user would share the same key, but have unique initialization vectors.) In a web environment with fairly short-lived data and high volume processing, it's impractical to randomize and store new initialization vectors with each request in a secure way; therefore, it's stored globally.

If HideErrors is true, the StateManager will pad or truncate the InitVector as necessary to satisfy the length requirement if the values are outside their required range for the chosen algorithm.