2

Currently, in some of my .NET applications I keep track of logon state in a Session variable. This works well, however if we update the .NET application .DLL, the session is wiped out, and users are forced to logon and start over.

What can we do to avoid users from having to logon again?
Can we somehow store logon credentials with Basic authentication to accomplish this?

William Walseth
  • 2,803
  • 1
  • 23
  • 25
  • 1
    You could store some token in cookie and identity info linked to such token in database. When session is restarted, try to restore identity using token and data in database. Do not store credentials or something like that in token/database!!! Also, make sure that token must expire after some time. – Dusan Dec 04 '15 at 22:05
  • Thanks. I guess I'm looking to jam the token into the authentication header, so it comes back with every subsequent request. Is that possible with the authentication header, or am I stuck with cookies? – William Walseth Dec 04 '15 at 22:12
  • 1
    Keeping track of the authentication in a session variable tightly couples the authentication to session. Asp.Net has many built-in authentication schemes, and is keeping track of the auth token by a selection of ways (cookie, query string). If you enable forms authentication, your users will still be authenticated after your app is recycled (dll update for instance) and it is up to your design to fill the session information for the user again, or you can also consider using out of proc session options like state server or sql server – Oguz Ozgul Dec 04 '15 at 22:12

1 Answers1

1

I would go with the following scheme:

https://stackoverflow.com/a/244907/461810

You need to tweak a little bit - make sure your auto-login token (cookie) is updated on every request and expires in short time (sessionTimeout + 1 min) as it just need to survive session restart.

Community
  • 1
  • 1
Dusan
  • 5,000
  • 6
  • 41
  • 58