2

I'm using Session in my application to store some data like user name(to write hello,...) and so on. Also, I'm using FormsAuthentication to authenticate user, so controllers have code like this:

protected void SetAuthCookie(int userId)
    {
        FormsAuthentication.SetAuthCookie(userId.ToString(), true);
        User user = Repositories.UserRepository.GetUserById(userId);

        Session["name"] = user.Name;
        Session["email"] = user.Email;
        Session["balance"] = user.TotalBalance + " / " + user.ActiveBalance;
        Session["isConfirmed"] = user.IsConfirmed;
        Session["phone"] = user.Phone;
    }

So, when I restart application after some code changes session data is destroyed, but user is still authenticated, so I have very bad situation and I want to fix it. On the one hand, I can create code somewhere, that will check if session data is ok and refresh it otherwise. On the other hand, may I miss some technique of storing this data in the right way?

What is the best solution in this situation?

<sessionState mode="InProc" customProvider="DefaultSessionProvider">
  <providers>
    <add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
  </providers>
</sessionState>
Improve this question
14
  • 1
    cookies persist across sessions. what's the problem here? when you detect the cookie, set the session values. Commented Nov 3, 2014 at 13:24
  • 2
    also, using the session isn't recommended with MVC. MVC is meant to be as stateless as possible, and relying on the session would break that. Commented Nov 3, 2014 at 13:25
  • Sometimes, user is authenticated, but session data doesn't exist anymore. It happens, when I restart application after code changes and I'm afraid of this situation in other case Commented Nov 3, 2014 at 13:25
  • 1
    If the session is inProc, it would be destroyed when you recycle the applicationpool, which happens when you either update the web.config or rebuild (deploying new assemblies). Commented Nov 3, 2014 at 13:27
  • 2
    The problem is in the code, not with the way authentication works. Don't try to "fix" what isn't broken. Your code assumes that only non-authenticated users will ever visit your site which is obviously wrong. You can just check the Session object and refill it if you find it's empty. Commented Nov 3, 2014 at 13:33

1 Answer 1

Reset to default
2

I've had a similar problem solved it like this in the global.asax.cs file: It will force a logout if session is empty and the request is authenticated. (take one of your session values that always sholud be set to check for null)

    protected void Application_PreRequestHandlerExecute(object sender, EventArgs e)
    {
        ForceLogoutIfSessionExpired();
    }

    private void ForceLogoutIfSessionExpired()
    {
        if (Context.Handler is IRequiresSessionState)
        {
            if (Request.IsAuthenticated)
            {
                if (HttpContext.Current.Session["name"] == null)
                {
                    AuthenticationHandler.SignOut(Response);
                    Response.Redirect(FormsAuthentication.LoginUrl, true);
                }
            }
        }
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you for idea of Application_PreRequestHandlerExecute, I think it's what I need. But I'd prefer to refill Session data if it's empty, but not to signout user, it is also normal plan, isn't it?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.