https://stackoverflow.com/questions/22390384
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianASP.NET Session is based on a unique user/browser id and it is set in a cookie. The session should be valid throughout the whole browsing session of the user. When the user closes the browser, that cookie is removed, and the session is over. It is separate from any authentication you are using - though you can certainly set/remove values during the authentication process.
confused on sessions and authentication
-
14-06-2023 - |
Question
I am using Session to store a few values and it works fine. When these values are null I need to handle this. Usually they values are set at the login page when they first visit the site.
1.. Do I need to check the authentication to see if session has expired?
What confused me was this post: How to Check whether Session is Expired or not in asp.net
The replies are using Session and IsAuthenticated for the same purposes.
2.. Does Authentication use Session or are they one in the same?
3.. Does the SessionId expire or change for that browser window?
I did notice that the SessionId is created when they open a browser page, at least I am assuming this. So, please correct me if I am wrong.
4.. Do I check to see if they are authenticated for means of checking to see if my Session variables are still valid?
This is what I came up with for each controller method that I want to check to see if the Session variable is valid AND if they are authenticated:
if (!HttpContext.User.Identity.IsAuthenticated)
{
Logging.WriteLog("User.Identity.Authenticated returned false");
return RedirectToAction("Logon", "Account");
//return View("Logon");
}
5.. Do I have the right idea?
Please clear some of this up for me!
La solution
Autres conseils
In ASP.NET, Session is completely independent of authentication.
If you're using Forms Authentication, a Forms Authentication ticket is stored in a Forms Authentication cookie which has nothing to do with the Session cookie.
In general, especially if you're using an InProc Session, it's best to assume a Session can expire at any time, e.g. because the AppDomain was recycled on the server.
Ideally, test for null, and recreate the Session object from persistent storage such as a database if it is null. If this is impossible, you'll have to redirect your user to a landing page and have him start again.
Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
