Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

asp.net - Is there any good reason why the authentication cookie and the session state cookie are two separate cookies?

Is there any good reason why ASP.NET's session state cookie and the Forms Authentication cookie are two separate cookies? What if I want to "tie" them to each other? Is it possible in an elegant way?

Right now, I am stuck with the following solution, which works, but is still ugly:

[Authorize]
public ActionResult SomeAction(SomeModel model)
{
    // The following four lines must be included in *every* controller action
    // that requires the user to be authenticated, defeating the purpose of
    // having the Authorize attribute.
    if (SomeStaticClass.WasSessionStateLost/*?*/) {
        FormsAuthentication.SignOut();
        return RedirectToAction("Login", "Account");
    }

    // ...
}

@RPM1984: This is what happens:

[HttpPost]
public ActionResult Login(LoginModel loginModel)
{
    if (/* user ok */)
    {
        // ...
        Session["UserID"] = loginModel.UserID;
        Session["Password"] = loginModel.Password;
        // ...
    }
    else
    {
        return View();
    }
}

And it doesn't take much guessing to know what WasSessionStateLost does.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Session != Authentication

The session state cookie tracks the user's activity during a browser session.

The forms authentication cookie tracks the user's authenticated activity during a given time period, specified by the expiration date of the ticket and whether or not you have created a persistent cookie (e.g "Remember Me" checkbox).

You shouldn't be touching the session cookie itself, and all it contains is an identifier to tie the client session (browser) to the server.

If you need to access the session, use HttpContext.Current.Session.

What exactly are you trying to "tie" together?

What does SomeStaticClass.WasSessionStateLost do?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...