confused on sessions and authentication

I am using Session to store a few values and it works fine. When these values are null I need to handle this. Usually they values are set at the login page when they first visit the site.

1.. Do I need to check the authentication to see if session has expired?

What confused me was this post: How to Check whether Session is Expired or not in asp.net

The replies are using Session and IsAuthenticated for the same purposes.

2.. Does Authentication use Session or are they one in the same?

3.. Does the SessionId expire or change for that browser window?

I did notice that the SessionId is created when they open a browser page, at least I am assuming this. So, please correct me if I am wrong.

4.. Do I check to see if they are authenticated for means of checking to see if my Session variables are still valid?

This is what I came up with for each controller method that I want to check to see if the Session variable is valid AND if they are authenticated:

  if (!HttpContext.User.Identity.IsAuthenticated)
  {
    Logging.WriteLog("User.Identity.Authenticated returned false");
    return RedirectToAction("Logon", "Account");
    //return View("Logon");
  }

5.. Do I have the right idea?

Please clear some of this up for me!

Answers


ASP.NET Session is based on a unique user/browser id and it is set in a cookie. The session should be valid throughout the whole browsing session of the user. When the user closes the browser, that cookie is removed, and the session is over. It is separate from any authentication you are using - though you can certainly set/remove values during the authentication process.


In ASP.NET, Session is completely independent of authentication.

If you're using Forms Authentication, a Forms Authentication ticket is stored in a Forms Authentication cookie which has nothing to do with the Session cookie.

In general, especially if you're using an InProc Session, it's best to assume a Session can expire at any time, e.g. because the AppDomain was recycled on the server.

Ideally, test for null, and recreate the Session object from persistent storage such as a database if it is null. If this is impossible, you'll have to redirect your user to a landing page and have him start again.


Need Your Help

Strange class declaration

c++ class

In Qt's qrect.h I found class declaration starting like this:

Hibernate select parents with list of childs matches child parameter

java hibernate

I have following structure: Bank has name and list of Offices. Office has city property.