ASP.NET MVC project architecture problems — authorization and session

I am finishing a project that started another programmer. Alter the entire architecture is not possible, but some things I want to overwrite. Namely - the authorization, and a way to store the current user session. The project represents a client that communicates with the server through the soap-services. On the server, there is Security-Services, and several others, for example, A-service, B-Service. Security service provides authentication and session key with which initialized other services. The project is written in ASP.NET MVC3, the head of a user model, which is implemented as singletone-Class, which describes the methods of interacting with services. How authorization works - there is CustomMembershipProvider with overridden ValidateUser method, which operates on Security-service. If successful authorization occurs the user registration in asp.net - FormsService.SignIn (model.UserName, false) and then initizalied user cla开发者_开发问答ss:

class SiteUser 
{ 
    public static SiteUser Current 
    { 
        get 
        { 
            if (HttpContext.Current.Session.IsNewSession & &! HttpContext.Current.User.Identity.IsAuthenticated) 
            { 
                throw new UserAutorizationExeption () {Reason = AuthExceptionReason.NewSession}; 
            } 

            if (HttpContext.Current.Session [sessionKey] == null) 
            { 
                FormsAuthentication.SignOut (); 
                throw new UserAutorizationExeption () {Reason = AuthExceptionReason.ServerSessionExpired}; 
            } 

            return HttpContext.Current.Session [sessionKey] as W1User; 

        } 
        set 
        { 
            if (HttpContext.Current.Session! = null) 
            { 
                HttpContext.Current.Session [sessionKey] = value; 
            } 
        } 
    } 

    public SiteUser () 
    { 
    } 


    public static SiteUser Create () 
    { 
        SiteUser.Current = new SiteUser (); 

        return SiteUser.Current; 
    } 

    / / Web-services methods go here 
} 

The main problem is that now the session is stored in memory: web.config:

<sessionState mode="InProc" timeout="20" /> 

Set SqlServer-mode is problematic because it would be difficult SiteUser serialized. How can I get around this? And there are problems with authorization - how to correctly do Asp.Net synchronization sessions with a session on services? Sorry for my English, if needed clarification - ask questions. Thank you.

---

I personally prefer things simpler hence if I could, I would have a dedicated user to use the services so you do not have to impersonate the user down to the services layer hence having to maintain a session key.

Having said that it is not always possible, especially in a SOA environment where service layer does provide services to 3rd parties and auditing, etc. In fact my project looks like this.

You cannot get away from having a session if you need to impersonate the user to the service layer. InProc session provides better performance and SqlServer mode provides better scalability - decision on trade off is yours.

There is an alternative to store user's session key in the user table itself and retrieve every time and invalidate when user logs out. But this is only a custom implementation of user session.