ASP.NET表单身份验证Cookie和会话以获取其他数据

Question

Application Background Security: The applications are all hosted on a private extranet (and / or a local intranet - depending on the installation instance). So while security is important, it's not as important as if it were an application on the intranet. However saying that it is important that the system cannot be easily be hacked or hijacked.

The apps: The application comes in 2 parts:-

• Class Library (dll)
• Authentication Front-end ASP.NET application

The dll is part of the front-end authentication application, and is to be added to other applications ("consumer apps") that require users to be authenticated.

The authentication app is a central store of all users, applications they have access to and permissions levels based on their username.

For consumer apps that have the dll installed, when an end-user hits a page that requires them to be logged in, the consumer app fires them off to the authentication application login.aspx page along with the appid, the user logs in, if they have required permissions then the auth app, sends them back to the consumer app (via a form with encrypted data) - which includes basic data about who the user is, username, realname, job role, organisation etc... and importantly a list of their permission levels for the consumer app.

The consumer app then takes that data, and processes it, decrypts it etc.. and creates a forms authentication cookie & populates a user class, and user roles class - this is all done from within the dll itself.

The Problem

Now this all works great, and initially all the data was stored in the authentication cookie, in the userdata part of the cookie, however here's the issue....

A consumer app (and there is one central one that we has been written in-house, can have lots of permissions (user roles) associated with a single user (mainly application administrators) and so we need something that can hold lots of data, more than the 4KBs that the authentication cookie can hold.

So I've attempted to put this into Session variables, well initially a single variable with all the sent over decrypted data into a single session variable called "userdata". Which I then check when a requested is made.

However...

The first issue I had was that the authentication cookie seems to have a longer life-span than the Session does, I think I've fixed this by extending the session to 35 minutes (5 minutes longer than the AuthCookie).

But when the consumer app programmer makes changes to their code (running localhost in debug via Visual Studio 2010) and refreshes the browser, the AuthCookie remains but the Session disappears. Now initially I'm using the default InProc session mode, which I guess could be the issue.

Is my assumption correct? And is there a way of programmatically syncing the session and the AuthCookie?

Any other advice on solving this issue?

Answer 1

Every time your application refreshes (This is happening when you are changing the code likely), but could happen on the server for various reasons, your user sessions are going to be cleared out.

What you most likely want to do if, I'm reading this correctly, is checking for the existence of the cookie in Session_Start, and refreshing the Session Data so that it gets loaded back into the session. The session isn't the most stable thing in the world, and even the Session Timeout isn't always what you think it is .

If you don't already have one, add a Global.asax to your project. If it's c#, edit the Global.asax.cs, or VB, I think it's Global.asax.vb.

protected void Session_Start(object sender, EventArgs e)
{
// Check for Cookie, if it exists here, then load data into the session here.
}