I am using Asp.Net Membership and when user enters correct username and password I sign him in开发者_运维百科 using:
FormsAuthentication.SetAuthCookie(String, Boolean)
If I create a persistent cookie then I think my membership will still be able to work but my session data will be null.
This is really annonying and introducing a whole lot of bugs in my application. How can I handle this?
Should I handle global.asax's Application_AuthenticateRequest and check if the userId which I store in session is null and Membership.GetUser()
is not null, then I should store ProviderUserKey (Guid) again in Session.
Is this a reasonable approach or is there any better way of handling this?
You must configure your session and authcookie's life-time in your web.config
file. See:
<forms timeout="5" />
<sessionState timeout="5" />
Forms are used for authentication and when it times out it will logout user. You can 'prevent' timeout by setting SlidingExpiration property to 'true' and it will renew forms ticket on user activity (read request to asp) if needed. This will keep user logged on while he is 'active' on your site.
and
When session times out you will lose data found in Session object.
Your problem may may be of this issue. Your auth-cookie is alive, but the session is timed-out. User is logged-in, but the session-variables are destroyed! Check this configuration in your app.
See this Q also
I think, you need to use session for it instead of cookie. And according to me that should be not preferable to save ProviderUserKey in session or any where. Use global.asax(Application_AuthenticateRequest) for check authentication and based on that id, get ProviderUserKey from DB.
Hope my comment is useful for you.
sessions and authcookies are different. authcookies life-time can be set in forms timeout="5"
config-section and sessions life-time should be set in sessionState timeout="5"
config-section. It is possible that an auth-cookie is persist yet, but the session expires. Check this.
精彩评论