0

I am using Asp.Net Membership and when user enters correct username and password I sign him in using:

FormsAuthentication.SetAuthCookie(String, Boolean)

If I create a persistent cookie then I think my membership will still be able to work but my session data will be null.

This is really annonying and introducing a whole lot of bugs in my application. How can I handle this?

Should I handle global.asax's Application_AuthenticateRequest and check if the userId which I store in session is null and Membership.GetUser() is not null, then I should store ProviderUserKey (Guid) again in Session.

Is this a reasonable approach or is there any better way of handling this?

Improve this question
0

3 Answers 3

Reset to default
1

You must configure your session and authcookie's life-time in your web.config file. See:

<forms timeout="5" />

<sessionState timeout="5" />

Forms are used for authentication and when it times out it will logout user. You can 'prevent' timeout by setting SlidingExpiration property to 'true' and it will renew forms ticket on user activity (read request to asp) if needed. This will keep user logged on while he is 'active' on your site.

and

When session times out you will lose data found in Session object.

Your problem may may be of this issue. Your auth-cookie is alive, but the session is timed-out. User is logged-in, but the session-variables are destroyed! Check this configuration in your app.

See this Q also

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I don't want want to set the forms and sessionState timeout to same. What if they are different? How can I then again set the data in session? What is the best way to do that?
if the session timed-out, you must fill it's data again. or you can put the light-data in cookies instead of session. for example I usually save the first-name, last-name, email, etc, in cookies. also you can put heavy data in cookie, but not recommended, also, it is not recommended to put heavy objects in session. so 1- if you have light data, put them in cookies (instead of session) 2- if you have big and heavy objects, it's better that you select them from database, when you need them.
0

I think, you need to use session for it instead of cookie. And according to me that should be not preferable to save ProviderUserKey in session or any where. Use global.asax(Application_AuthenticateRequest) for check authentication and based on that id, get ProviderUserKey from DB.

Hope my comment is useful for you.

Improve this answer

Comments

0

sessions and authcookies are different. authcookies life-time can be set in forms timeout="5" config-section and sessions life-time should be set in sessionState timeout="5" config-section. It is possible that an auth-cookie is persist yet, but the session expires. Check this.

Improve this answer

1 Comment

Your "Check this" at the end means what? I understand auth cookie is persist. So how I can again set the data in session? What is the best way to do that?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.