1

I currently have a website, where people take a quiz. At the moment when someone starts taking a quiz, I create a session variable to keep a track of them.

This is fine at the moment, but I post to an ASP.net MVC controller, where I can set the session variable and retrieve it.

I want to move the functionality into WebAPI because I want to make all of the answers to be submitted over AJAX now and I can't set and retrieve session variables in a WebAPI controller.

What is the alternative to keep a track of a session?

I guess I could just generate a random string and pass that back and forth, but it seems a little primitive?

WebAPI is stateless and I want it to remain this way, but I want to way to track users without resorting to Sessions which are against the principles of WebAPI/REST.

Luke
  • 22,826
  • 31
  • 110
  • 193
  • possible duplicate of [Accessing Session Using ASP.NET Web API](http://stackoverflow.com/questions/9594229/accessing-session-using-asp-net-web-api) – Stephen Kennedy Jun 20 '15 at 15:56
  • I don't want to access the sessions, I want an alternative. I want WebAPI to remain stateless...thanks – Luke Jun 20 '15 at 15:57
  • What are you doing in the way of authentication? – Stephen Kennedy Jun 20 '15 at 15:59
  • I'm using ASP.NET Identity at the moment for main users of the site. For quiz taking, logging in isn't required. Thanks for your help :) – Luke Jun 20 '15 at 16:00
  • All useful info - you might want to add that to the question too . So, the quiz users are anonymous... How about keeping track of the progress of the quiz in an object and resubmitting that object to the web service each time? Otherwise you're probably looking at cookies and then you may just as well use Session ;) – Stephen Kennedy Jun 20 '15 at 16:05
  • Indeed the quiz takers are anonymous. I'm not sure that I can use a session anyway, because I intend to move the quiz taking in to a widget that can be embedded into any website (without iframes) so I would imagine that sessions aren't an option with requests coming from another site? – Luke Jun 20 '15 at 16:16
  • Is there any kind of standard that exists. Looking at the web, I want token-based security... I think that might be what I need. However, I don't know if there is a standard way of creating tokens etc – Luke Jun 20 '15 at 16:19
  • If the state that you need to keep hold of is small enough, why not just encode it as a hidden field in your form? You can encrypt it if necessary. – spender Jun 21 '15 at 12:25