Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am building a web service (ASMX) in C#. I am thinking of using ASP.net session ID as a token for authentication.
I have session-id generated with CreateSessionID. This will be sent to client after successful authentication (as return value of web-service call ‘login’).
For subsequent requests, the client will send the session-id as a parameter to the web-service call. Is it possible to recreate the session from this session ID string ?
Thanks in advance.
The problem with this approach is CreateSessionID doesn’t actually create a session. As the name suggests, it creates only a unique session id. If you look at the MSDN documentation, it says
If you read a bit more, you’ll see that the method is meant to be overridden by custom session id managers, which can then be integrated into the session management system by editing your web.config.
In other words, your current usage of CreateSessionID is not doing what you want it to do.
If you actually want to use Session state in your web service, you should have a look at this article.
Briefly, you need to add the
EnableSession=trueparameter to your[WebMethod]attributes, and then you can access the session automatically viaContext.Session. Note that this does not require passing the session id via the service, as IIS will handle everything for you.You can use the
CreateSessionID()method (though preferably you’d use something else) to create a token that the users needs to pass with each request, but it would only be used to verify the user; no session could be regenerated based on it. If you do go this route, make sure your service is accessed via HTTPS. Otherwise, any eavesdropper will see the token right there in plain-text (though this can mitigated if you also check against IP address/user-agent string/etc.)Hope that helps.