Asp – the best way of handling users session in ASP.Net

asp.net

Any user who logs in needs to provide username, password and domain. For that user a windows identity shall be created on the server side. In this scenario what is the best way to handle user's session across the pages using his identity in ASP.Net?

Best Solution

I'm guessing the username, password, domain is authenticated against an Active Directory? If so, you'll be interested in this article: How To: Use Forms Authentication with Active Directory in ASP.NET 2.0

If you are just using session to 'remember someone is logged in' this will handle it all for you.

Related Solutions

Asp.net cookies, authentication and session timeouts

Avoid using session as much as you can, if you can get away without seesion it makes multi-server deployments qutie a bit easier. Probably, Name and email are easy candidates for cookies. It's easy to fake a cookie, so userID may not be a good idea depending on your security needs.

The forms authentication cookies are encrypted and you can add extra data to those cookies (See details below). It's probably hackable but not nearly as easily as a simple cookie.

Here is the code I have used in the past slightly modified to remove some project specific details. Call this in the LoggedIn event of the login control.

void AddUserIDToAuthCookie(string userID)  
{  
  //There is no way to directly set the userdata portion of a FormAuthenticationTicket  
  //without re-writing the login portion of the Login control  
  //  
  //I find it easier to pull the cookie that the Login control inserted out  
  //and create a new cookie with the userdata set  

  HttpCookie authCookie = Response.Cookies[AUTH_COOKIE];
  if(authCookie == null)
  {
    return;
  }

  Response.Cookies.Remove(AUTH_COOKIE);

  FormsAuthenticationTicket oldTicket = FormsAuthentication.Decrypt(authCookie.Value);
  var newTicket =
    new FormsAuthenticationTicket(oldTicket.Version, oldTicket.Name, oldTicket.IssueDate, oldTicket.Expiration,
                                  oldTicket.IsPersistent, userID, oldTicket.CookiePath);

  authCookie.Value = FormsAuthentication.Encrypt(newTicket);

  Response.Cookies.Add(authCookie);
}

FYI, I copied this from an old project and edited it here to remove some project specific bits, so it may not compile, but it'll be very close.

To get the ID in your webpage...

FormsAuthenticationTicket ticket = ((FormsIdentity) Page.User.Identity).Ticket;
string id = ticket.UserData;

I used this mechanism to store an id that was not part of the aspnetdb user data. If all your identity data is handled by the aspnetdb, you may only need to access the Page.User.Identity object.

Asp – Best way to keep ASP.Net Session Active

You can set the timeout setting to a higher value, but you can't make the difference between a session_end caused by a timeout or by a user that ends his session.

The solution to your problem is probably to restore the user's session in the session_start method in Global.asax.

Best Solution

Related Solutions

Asp.net cookies, authentication and session timeouts

Asp – Best way to keep ASP.Net Session Active

Related Question