0

We are using Gigya to authenticate the user which will provide us with user Id and email. Then we pass the user detail to our CRM Web Service which will return the user data from CRM.

We then need to create a session for the user so that we can identify whether the user is logged in or not. If not logged in then redirect to Gigya for login/register etc.

Now, given that we are not using any ASP.NET Membership or similar, I'm thinking how we are going to secure the member pages. One way I can think of is store the user detail in session. Then check if user detail exists in session, if doesn't exist prompt for login.

I'm also thinking whether:

  1. I can use FormsAuthentication.SetAuthCookie or similar to create a asp.net session

  2. Or is there better way to achieve this.

Also, if I use FormsAuthentication.Logout will it clear all my session and cookies even though I'm not using asp.net membership provider?

Goal:

  1. To be able to create a session for the user
  2. Able to authorize user based on user role which we get from CRM.
  3. Able to logout the user on Lout button click.
Improve this question

1 Answer 1

Reset to default
1

First, and this is very very very important from a security perspective.

Authentication != Session.

They are different concepts. Second,

NEVER USE SESSION for AUTHENTICATION

see first rule. FormsAuthentication has nothing. Zero. Zilch. Nada. To do with session management. Nor does it have anything to do with Membership or credential verification. All it does is store a cookie that ASP.NET can decode to verify that the user is authenticated or nor. This cookie is set by your application when it has validated the users credentials.

FormsAuthentication.Logout() does not clear sessions, because as I already said, they have nothing to do with each other. You have to clear the session by calling Session.Abandon().

Session is about storing data for a user, and is not secure. Session is volatile, and IIS can discard it whenever it feels like, for any reason, at any time. You cannot depend on Session to be there from request to the next.

Authentication is encrypted, and strictly about proving the user has been authenticated.

Authentication can transcend sessions. It can be good for hours, weeks, months... Your session is only good for the time you are currently there (if IIS doesn't kill it earlier).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Given that our users are already authenticated using Gigya, are you saying that we don't need to use any of the FormAuthentcation functions? If session is not the right approach to track logged in users then what's the alternative?
@Myagdi - I don't know anything about Gigya, so I don't know if they provide some mechanism of doing this or not. But I suggest you re-read what I wrote.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.