0

After authenticating user using Identity 2, I'd like to keep some information about him or her in Session. I can access Session in the immediate action method, which is the one that I'm redirecting the user to it, but not after that.

This is the code:

ClaimsIdentity ident = await UserManager.CreateIdentityAsync(Login,
    DefaultAuthenticationTypes.ApplicationCookie);
AuthManager.SignOut();
AuthManager.SignIn(new AuthenticationProperties
{
    IsPersistent = true
}, ident);
HttpContext.Session["var"] = "data";
return RedirectToAction("Index", "Home");

I have tried the following steps so far:

  1. I have manually added Session in the web.config[1].

  2. I have set runAllManagedModulesForAllRequests to true.

  3. I have checked browser's cookie, it's being transmitted and it's the same during different requests.
  4. I have checked Session.SessionId and it's identical during different requests in current Session.

This is web.config, it didn't have anything related to sessions and I added them manually.

  <system.webServer>
    <modules>
      <remove name="Session"/>
      <add name="Session" type="System.Web.SessionState.SessionStateModule"/>
    </modules>
  </system.webServer>

I'm trying to debug the app on IIS Express, and I haven't tried IIS yet.

I have access to the session variable in the account controller that takes care of the logging and Home controller which is where I redirect the user to, but not any other controller. I should note that if I refresh the page to hit the home controller for the second time, session variable is lost. In other words, they're not being preserved.

I just published the app and tried it on IIS, it seems to work fine there

Any possible solution and debugging guide is appreciated. :)

Community
  • 1
  • 1
Akbari
  • 2,369
  • 7
  • 45
  • 85
  • post your session configuration from your web.config. Also post more specifics. Where exactly can you get the session and where exactly can you not. Also, ASP.Net 5.2, also are you debugging in IIS, or IIS Express. – Ryan Mann Jul 30 '15 at 04:04

1 Answers1

0

You are missing the sessionState element, you added the module, but you didn't configure it.

Link to MSDN on how

Also, you need to decorate your controller actions with SessionState Behavior attributes. 

[SessionState(SessionStateBehavior.ReadOnly)]

or [SessionState(SessionStateBehavior.Required)]

Ryan Mann
  • 5,178
  • 32
  • 42
  • I had checked different configuration, e.g. Timeout, and I was sure that they do exists. I tried adding ``, but it didn't help. It has one effect though: I don't have the session even in the immediate `action`, the one that I'm redirecting the user to. – Akbari Jul 30 '15 at 04:28
  • There's an issue with your web.config, that much I am positive. – Ryan Mann Jul 30 '15 at 04:30
  • After doing much research on this, you shouldn't be using sessionstate in MVC... It's more suited to webforms and relies on the element config too... Instead you should be using a Sql or NoSql solution, or EntityFramework, or PetaPoco, or straight SQL. – Ryan Mann Jul 30 '15 at 04:34
  • I'm keeping some sensitive data that shouldn't be preserved, any other solution. – Akbari Jul 30 '15 at 04:35
  • Then just store it in a session cookie as a JSON blob and derserialize it to a json object, session cookies die when the browser session ends. SessionState stores it in a cookie too. – Ryan Mann Jul 30 '15 at 04:36
  • Oh, I found what you are missing to make it work in mvc.. [SessionState(SessionStateBehavior.ReadOnly)] You have to decorate your controller actions with a session state behavior, otherwise session state is off for the action. – Ryan Mann Jul 30 '15 at 04:42
  • 1
    But you really don't need it, it would probably be better (Identity 2, to store the senstive information in a Claim, which would get persisted to the FedAuth cookie or "w/e cookie" Identity 2 uses to persist the authenticated user. I Use WIF (windows identity foundation) and I store some sensitive things in the users Claims, which only they would see/have, which get's chunked into the encrypted fedauth cookie. – Ryan Mann Jul 30 '15 at 04:43
  • Thanks man I'll give it a try, the app is working fine on IIS, but the session changes each time the user starts the browser. I'd like to keep the data for the user, not just per session. Your suggestion will do that, doesn't it? – Akbari Jul 30 '15 at 04:46
  • I'll follow your second suggestion and use Claims. just for the record, adding `SessionState` attribute didn't help neither. ;) – Akbari Jul 30 '15 at 04:50
  • 1
    Yeah, claims can do that, it's what claims are for and the whole reason why claims came to be. It's how you should be doing it anyways in my opinion. – Ryan Mann Jul 30 '15 at 04:57