app.UseCookieAuthentication - SessionStore

Question

app.UseCookieAuthentication - SessionStore

amal James 0

Hi Team,

I have a scenario where in asp.net MVC application the session Key (GUID every time user logs in) is stored to a SQL database Table.

The below methods are used.
I need suggestions for two things

1.The underlying database Can have any number of fields other than Key, Ticketstring ,TicketExpiry.

is it an issue if I add more fields? As the table is handled by asp.net framework?

2.As part of session killing from external application I need to send this key to an API, but I need this key to be fetched from other places where the API calls are happening .Please suggest an approach to do it, I tried to add this key to claims and to retrieve it but the key is missing in claims when I try to fetch it

public async Task<string> StoreAsync(AuthenticationTicket ticket)
{
   string Key = Guid.NewGuid().ToString();

//inserting key,TicketString,TicketExpiry to database

   return Task.FromResult(key);

}
public Task RenewAsync(string key, AuthenticationTicket ticket) {

//inserting key,TicketString,TicketExpiry to database
}

 app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
/*
 OtherProperties
*/
  SessionStore = new SqlAuthenticationSessionStore(ticketFormat,db_connectionString)
}

AgaveJoe 1,510 Reputation points

2025-02-22T00:38:10.2466667+00:00

A token is a string issued from a trusted source (authentication) that identifies a client. This allows the client to access secured resources (authorization) across disconnected systems that trust the token source.

Cookies and Session (which is also cookie based) are browser state management containers and having little to do with managing a token's lifetime across disconnected systems. Typically a token is invalidated by the token source. The disconnected machines check with the token server to verify the token is still valid.
SurferOnWww 5,026 Reputation points

2025-02-22T00:52:01.0666667+00:00

Your tag is ASP.NET API. You mentioned "a scenario where in asp.net MVC application." Which is your app, MVC or Web API?
amal James 0 Reputation points

2025-02-22T07:39:34.5766667+00:00

hi ,SurferOnWww
its an MVC app , MVC option was not available
SurferOnWww 5,026 Reputation points

2025-02-22T09:05:55.8666667+00:00

I recommend that you use the ASP.NET Identity.

3 answers

Your answer

AgaveJoe 1,510 Reputation points

2025-02-22T00:38:10.2466667+00:00

A token is a string issued from a trusted source (authentication) that identifies a client. This allows the client to access secured resources (authorization) across disconnected systems that trust the token source.

Cookies and Session (which is also cookie based) are browser state management containers and having little to do with managing a token's lifetime across disconnected systems. Typically a token is invalidated by the token source. The disconnected machines check with the token server to verify the token is still valid.
SurferOnWww 5,026 Reputation points

2025-02-22T00:52:01.0666667+00:00

Your tag is ASP.NET API. You mentioned "a scenario where in asp.net MVC application." Which is your app, MVC or Web API?
amal James 0 Reputation points

2025-02-22T07:39:34.5766667+00:00

hi ,SurferOnWww
its an MVC app , MVC option was not available
SurferOnWww 5,026 Reputation points

2025-02-22T09:05:55.8666667+00:00

I recommend that you use the ASP.NET Identity.

Answer 1

Hi James,

To address your questions:

1. Can I add more fields to the session table?

Yes, you can add more fields to the table. The ASP.NET framework will only interact with the fields it knows about (typically Key, TicketString, TicketExpiry). Any additional fields you add will be ignored by the framework unless you explicitly read/write them in your custom session store implementation.

2. How can I fetch the session key (GUID) later in other parts of the app (e.g., API layer)?

Your issue is that the session key (GUID) stored in the database isn’t reliably available in claims when accessed from other parts of the application or external API calls. This suggests a problem with how the key is being stored or propagated.

Recommended Approaches:

Approach A: Store the key in the Authentication Cookie's Properties

When you generate the ticket, add the session key to AuthenticationProperties:

var properties = ticket.Properties;
properties.Dictionary["SessionKey"] = key; // or any custom key

Later, in any part of the app (Controller, Middleware), you can retrieve it like this:

var result = await HttpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme);
var sessionKey = result?.Properties?.Items["SessionKey"];

Approach B: Store Session Key in HttpContext.Items

If the key is only needed per-request, you can store it like this in middleware:

app.Use(async (context, next) =>
{
    var authResult = await context.AuthenticateAsync();
    var sessionKey = authResult?.Properties?.Items["SessionKey"];
 
    context.Items["SessionKey"] = sessionKey;
 
    await next();
});

Then access it anywhere in your request pipeline:

var key = HttpContext.Items["SessionKey"]?.ToString();

Approach C: Store the SessionKey in a Claim (with care)

You can technically store it in claims, but keep in mind:

The claims get serialized into the cookie, and long or dynamic values can make the cookie size large.
Also, modifying claims after user signs in requires creating a new ticket and re-signing in.

If you still want to try:

var identity = (ClaimsIdentity)ticket.Identity;
identity.AddClaim(new Claim("SessionKey", key));

Then access:

var sessionKey = User.Claims.FirstOrDefault(c => c.Type == "SessionKey")?.Value;

Ensure you resign the user in after adding the claim.

Danny Nguyen (WICLOUD CORPORATION) 5,375 Reputation points Microsoft External Staff Moderator

2025-07-28T02:15:17.59+00:00

If you still have any questions, feel free to reach out
Danny Nguyen (WICLOUD CORPORATION) 5,375 Reputation points Microsoft External Staff Moderator

2025-08-07T10:29:28.64+00:00

Just checking in — I haven’t heard back from you for a while, I hope everything works out as you expected. I understand things can get busy or priorities may shift.

If you’re still experiencing the issue or need further support, feel free to jump back in at any time — I will always be here and happy to help.

Wishing you all the best with your work!

Answer 2

Bruce (SqlWork.com) 82,146 Volunteer Moderator

Storing the key as a claim is the correct approach. There should be no issue with adding custom claims with cookie authentication.

Answer 3

SurferOnWww 5,026

its an MVC app

I recommend that you use the ASP.NET Identity. The following articles will be helpful to add the key as a claim to the ClamsIdentity:

If you enable the Role in the ASP.NET Identity, please use the UserClaimsPrincipalFactory<TUser,TRole> instead of UserClaimsPrincipalFactory<TUser>.

Share via

app.UseCookieAuthentication - SessionStore

3 answers

Your answer