SessionAuthenticationModule doesn't deserialize all claims from cookie, sometimes

Question

I am using WIF and claims-based security in a MVC app and custom logic to create a ClaimsPrincipal with the appropriate claims after they authenticate. I assign some standard claims like Role and Name to the principal but also assign custom claims where applicable.

I modeled my custom claims after the standardized Role and Name claims using a URI, for example

new Claim("http://schemas.acme.com/2012/04/identity/claims/create", "http://schemas.acme.com/2012/04/identity/resources/customer")

Everything has been working very well. I use the SessionAuthenticationModule to store the users session in cookies and rehydrate it on each request.

I noticed today that my custom claims are not deserialized from the cookie after someone logs in with the same usertype. The standard claims (Name/Role) are present but the custom claims aren't.

Has anyone else ever seen this or know why this is happening?

Answer 1

Turns out I was adding the claims that were disappearing by reference. I had a class with static claims pre-defined that I would add to the ClaimsPrincipal as necessary. Any of the claims that I added this way were later removed when another user of that type logged in. My solution was to change the static properties to KeyValuePairs and create new claims for each user.