This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 18%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EX%3C/text%3E%3C/svg%3E)
Greetings everyone,
I'm developing an ASP.NET MVC App with Forms authenticatioin and the Membership (API) (i can't use Identity for now).
I noticed that the Session state is not always in sync with the authentication session , meaning, that a user can have an expired session and still be logged in, which will result in exception when trying to retrieve his authentication informations from the session.
Here is what i observed :
-Session is mapped to the server by an identifier set in a cookie .
-if the sessionState timeout expires than the session expires
-If we close the browser (all the browser tabs) than the cookie is deleted , and still the session lives on the server ,but because it can't be mapped to the session by the cookie , it creates a new session thus reinitializing it.
-if we stop the app on the server or the server recycles the session is lost
-The authentication identifier is also stored in a cookie.
-If the forms timeout expires than the user will be logged off.
-The authentication cookie is also removed when the browser is closed (all the browser tabs) therefore user is logged out ,Unless FormsAuthentication.createPersistentCookie is true than the user is still logged in even if he closes the browser.
-However if the user does not close the browser and the app in the server is stopped or the server recycles , than the user is still kept logged in, because the authentication cookie is still in the browser, and yet the session is lost.
I was wandering what is the best way to manage session state with forms authentication , i read that the session should not be synchronized with the authentication
process because they are not the same thing.
I was thinking to fix the issue in bold above, i would implement Session_Start in globall.asax to retrieve informations about the user if he is authenticated each time the session starts.
Thank you.
I was wandering what is the best way to manage session state with forms authentication , i read that the session should not be synchronized with the authentication
The Session State and Forms Authentication of the ASP.NET are independent. There is no relation between them at all. Therefore, you may forget about the Session State when you consider the Forms Authentication.
I agree with you, although as i'm not implementing Identity i find nowhere to persist user info but in the session state , i don't want to use cookies.....
but in the session state , i don't want to use cookies.....
It seems to me that the above is contradicting. The Session State uses a cookie to identify the user.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 4%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQM%3C/text%3E%3C/svg%3E)
Hi @xprogrammerx
Form validation is related to cookies, it is not directly related to sessions.
Best Regards
Qi You
Ok than , so the best way to store temporary user information with forms authentication is to use cookies.
Of course we may have other lenghty informations which only can be stored in the session(we don't want to use the database) , so we'll just make them unrelated to the authentication process.
Sometimes i also use Windows authentication , and Forms authentication with Active Directory Provider.
Best Regards.
so the best way to store user information with forms authentication is to use cookies.
No, it is not the way that ASP.NET Forms Authentication system provides.
In the ASP.NET Forms Authentication system, the critical user information such as the user id and password is stored at the server side such in the SQL Server database.
The cookie stores the authentication ticket. Please note that the authentication ticket does not include critical user information such as the user id and password.
Ok than , so the best way to store temporary user information with forms authentication is to use cookies.
What i meant was temporary user informations, of course the persistent informations would be in the database, but when the user get logged in you would need some temporary informations to be accessible so that you don't contact the database evrytime.
The Forms Authentication token has a user data area where you can store whatever you like inside the auth cookie along with the user's identity.
If you want to store user information in session, then write code that refreshes Session when session is null. Keep in mind, checking any cache for null and reloading is a standard programming pattern because a cache like session is volatile.
I would craft a separate static class that populates Session using the user's identity from forms authentication. That way you are only going to the database when Session is empty.
You did not say "temporary" in your previous comment.
Anyway, there is a provision in the ASP.NET Forms Authentication system to identify an anonymous user by using a cookie. I guess that you will need to study and obtain more detailed knowledge regarding how the ASP.NET Forms Authentication system works.
The Forms Authentication token has a user data area where you can store whatever you like inside the auth cookie along with the user's identity.
That is good news , can you provide me an example how to use this user data area?
If you want to store user information in session, then write code that refreshes Session when session is null. Keep in mind, checking any cache for null and reloading is a standard programming pattern because a cache like session is volatile.
That is what i had in mind, i can even use the Session_Start event in global.asax to intilalize the session according to the user authentified.
You did not say "temporary" in your previous comment.
Yes i edited my comment to reflect what i had in mind, and also to reflect the right informations.
can you provide me an example how to use this user data area?
Understanding the Forms Authentication Ticket and Cookie
FormsAuthenticationTicket Class
FormsAuthenticationTicket.UserData Property
UserDate is a string. You get to create whatever string format you like. For edxample, JSON, CSV, ...
Ok so about the FormsAuthenticationTicket it is settled
But how about if i want to store info in the session, is it convenient to implement Session_Start in global.asax to reinitialize the session according to the user authentified or is it unconvenient?
But how about if i want to store info in the session, is it convenient to implement Session_Start in global.asax to reinitialize the session according to the user authentified or is it unconvenient?
I explained how I would do deal with cache. At the point where the data is needed I would check if the Session has the data. If the Session has the data then get the data from Session. If the Session does not have the data then load the data. I would write a basic C# class to handle the details.
If you want to use Session_Start then give it a try.
Ok i will give it a try, thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Both session and authentication use cookies, and the default is browser session only (not stored) and similar timeout. But as stated above, they are independent of each other. You can have have a 90 day persistent session cookie, and 20 minute identity cookie or the reverse.
Yes both session and authentication use cookies,
-Session is mapped to the server by an identifier set in a cookie .
if you don't want session lost on recycle, use a persistent session. I have done apps where session is good for months and works whether the user is logged in or not.
note: I've never used in-proc session with production apps which typically are a farm.